Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
j76l1AiIHm.exe

Overview

General Information

Sample name:j76l1AiIHm.exe
renamed because original name is a hash value
Original sample name:ED1EA689D80A7FAB60271D8D24267A5B.exe
Analysis ID:1425667
MD5:ed1ea689d80a7fab60271d8d24267a5b
SHA1:cbc58903e5ef9a21f32bd86c158039eead84c2e3
SHA256:31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disables zone checking for all users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • j76l1AiIHm.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\j76l1AiIHm.exe" MD5: ED1EA689D80A7FAB60271D8D24267A5B)
    • chargeable.exe (PID: 7268 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 487F849292C93F358B174826265C2296)
      • chargeable.exe (PID: 7304 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 487F849292C93F358B174826265C2296)
        • netsh.exe (PID: 7676 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • chargeable.exe (PID: 7368 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 487F849292C93F358B174826265C2296)
    • chargeable.exe (PID: 7528 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 487F849292C93F358B174826265C2296)
      • WerFault.exe (PID: 7644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • chargeable.exe (PID: 7536 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 487F849292C93F358B174826265C2296)
  • j76l1AiIHm.exe (PID: 7872 cmdline: "C:\Users\user\Desktop\j76l1AiIHm.exe" MD5: ED1EA689D80A7FAB60271D8D24267A5B)
  • chargeable.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 487F849292C93F358B174826265C2296)
    • chargeable.exe (PID: 8148 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 487F849292C93F358B174826265C2296)
  • j76l1AiIHm.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\j76l1AiIHm.exe" MD5: ED1EA689D80A7FAB60271D8D24267A5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Njrat_1Yara detected NjratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x4070e:$a1: get_Registry
      • 0x417ea:$a2: SEE_MASK_NOZONECHECKS
      • 0x418e6:$a3: Download ERROR
      • 0x417ac:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x4173e:$a5: netsh firewall delete allowedprogram "
      00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4181a:$a1: netsh firewall add allowedprogram
      • 0x417ea:$a2: SEE_MASK_NOZONECHECKS
      • 0x41a94:$b1: [TAP]
      • 0x417ac:$c3: cmd.exe /c ping
      00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x417ea:$reg: SEE_MASK_NOZONECHECKS
      • 0x418c2:$msg: Execute ERROR
      • 0x4191e:$msg: Execute ERROR
      • 0x417ac:$ping: cmd.exe /c ping 0 -n 2 & del
      00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.chargeable.exe.366da74.1.unpackJoeSecurity_NjratYara detected NjratJoe Security
          2.2.chargeable.exe.366da74.1.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x1e9a:$a1: get_Registry
          • 0x2f76:$a2: SEE_MASK_NOZONECHECKS
          • 0x3072:$a3: Download ERROR
          • 0x2f38:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x2eca:$a5: netsh firewall delete allowedprogram "
          2.2.chargeable.exe.366da74.1.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
          • 0x2f38:$x1: cmd.exe /c ping 0 -n 2 & del "
          • 0x3090:$s3: Executed As
          • 0x3072:$s6: Download ERROR
          2.2.chargeable.exe.366da74.1.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x2fa6:$a1: netsh firewall add allowedprogram
          • 0x2f76:$a2: SEE_MASK_NOZONECHECKS
          • 0x3220:$b1: [TAP]
          • 0x2f38:$c3: cmd.exe /c ping
          2.2.chargeable.exe.366da74.1.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
          • 0x2f76:$reg: SEE_MASK_NOZONECHECKS
          • 0x304e:$msg: Execute ERROR
          • 0x30aa:$msg: Execute ERROR
          • 0x2f38:$ping: cmd.exe /c ping 0 -n 2 & del
          Click to see the 13 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\confuse\chargeable.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\j76l1AiIHm.exe, ProcessId: 6852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse

          Snort Signatures

          Timestamp:04/14/24-05:17:19.830267
          SID:2033132
          Source Port:49744
          Destination Port:10000
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/14/24-05:20:16.466801
          SID:2825564
          Source Port:49744
          Destination Port:10000
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/14/24-05:20:16.466801
          SID:2814860
          Source Port:49744
          Destination Port:10000
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/14/24-05:17:20.392009
          SID:2825563
          Source Port:49744
          Destination Port:10000
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/14/24-05:17:20.392009
          SID:2814856
          Source Port:49744
          Destination Port:10000
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: j76l1AiIHm.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeAvira: detection malicious, Label: HEUR/AGEN.1305435
          Found malware configuration
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Njrat {"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
          Multi AV Scanner detection for submitted file
          Source: j76l1AiIHm.exeReversingLabs: Detection: 92%
          Source: j76l1AiIHm.exeVirustotal: Detection: 90%Perma Link
          Yara detected Njrat
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4102178784.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7268, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7304, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7536, type: MEMORYSTR
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: j76l1AiIHm.exeJoe Sandbox ML: detected
          Source: j76l1AiIHm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: j76l1AiIHm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 41.249.48.248:10000
          Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49744 -> 41.249.48.248:10000
          Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 41.249.48.248:10000
          Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49744 -> 41.249.48.248:10000
          Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 41.249.48.248:10000
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: doddyfire.linkpc.net
          Source: global trafficTCP traffic: 192.168.2.4:49744 -> 41.249.48.248:10000
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownDNS traffic detected: queries for: doddyfire.linkpc.net
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to log keystrokes (.Net Source)
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, kl.cs.Net Code: VKCodeToUnicode

          E-Banking Fraud

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4102178784.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7268, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7304, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7536, type: MEMORYSTR
          Source: Yara matchFile source: dump.pcap, type: PCAP

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
          Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_07180E3E NtResumeThread,2_2_07180E3E
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_07180EE6 NtWriteVirtualMemory,2_2_07180EE6
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_07180EB9 NtWriteVirtualMemory,2_2_07180EB9
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_07180DFA NtResumeThread,2_2_07180DFA
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067C0EE6 NtWriteVirtualMemory,4_2_067C0EE6
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067C0E3E NtResumeThread,4_2_067C0E3E
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067C0DFA NtResumeThread,4_2_067C0DFA
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067C0EB9 NtWriteVirtualMemory,4_2_067C0EB9
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 16_2_05030E3E NtResumeThread,16_2_05030E3E
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 16_2_05030EE6 NtWriteVirtualMemory,16_2_05030EE6
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 16_2_05030EB9 NtWriteVirtualMemory,16_2_05030EB9
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 16_2_05030DFA NtResumeThread,16_2_05030DFA
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_052E22D83_2_052E22D8
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 8
          Source: j76l1AiIHm.exe, 00000000.00000000.1627833213.0000000000B6E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1.exe0 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000000.1627792721.0000000000B52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1.exe0 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1723722217.0000000001228000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename1.exe0 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1724652543.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1724652543.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1724652543.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1724652543.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6052.dll4 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1725571646.0000000008570000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameb6052.dll4 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1723722217.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000000.00000002.1724787024.00000000041F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1.exe0 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 0000000D.00000002.1897571501.0000000003196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 0000000D.00000002.1897571501.0000000003196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 0000000D.00000002.1897571501.0000000003196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000012.00000002.2059001797.0000000002846000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000012.00000002.2059001797.0000000002846000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exe, 00000012.00000002.2059001797.0000000002846000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exeBinary or memory string: OriginalFilename1.exe0 vs j76l1AiIHm.exe
          Source: j76l1AiIHm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
          Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: j76l1AiIHm.exe, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
          Source: chargeable.exe.0.dr, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
          Source: 0.2.j76l1AiIHm.exe.41f7ef0.2.raw.unpack, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
          Source: 0.2.j76l1AiIHm.exe.42128d0.1.raw.unpack, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@19/8@4/1
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_054E145E AdjustTokenPrivileges,3_2_054E145E
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_054E1427 AdjustTokenPrivileges,3_2_054E1427
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeFile created: C:\Users\user\AppData\Roaming\confuseJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMutant created: NULL
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMutant created: \Sessions\1\BaseNamedObjects\e1a87040f2026369a233f9ae76301b7b
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7528
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6ad16baa-214f-4d80-aa6a-5540976e263cJump to behavior
          Source: j76l1AiIHm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: j76l1AiIHm.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: j76l1AiIHm.exeReversingLabs: Detection: 92%
          Source: j76l1AiIHm.exeVirustotal: Detection: 90%
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeFile read: C:\Users\user\Desktop\j76l1AiIHm.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\j76l1AiIHm.exe "C:\Users\user\Desktop\j76l1AiIHm.exe"
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 8
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\j76l1AiIHm.exe "C:\Users\user\Desktop\j76l1AiIHm.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
          Source: unknownProcess created: C:\Users\user\Desktop\j76l1AiIHm.exe "C:\Users\user\Desktop\j76l1AiIHm.exe"
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLEJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dwrite.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: textshaping.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: shfolder.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windowscodecs.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: mscoree.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: version.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: wldp.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: profapi.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: dwrite.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: riched20.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: usp10.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: msls31.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: textshaping.dll
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeSection loaded: shfolder.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: j76l1AiIHm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: j76l1AiIHm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
          Source: j76l1AiIHm.exeStatic PE information: section name: .l2
          Source: chargeable.exe.0.drStatic PE information: section name: .l2
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeFile created: C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to dropped file

          Boot Survival

          barindex
          Creates multiple autostart registry keys
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuseJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMainJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuseJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuseJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMainJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMainJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 51F0000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 19A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 35A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 55A0000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 14F0000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: D70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: D70000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 4B00000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 14A0000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 1080000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 2D90000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 1100000 memory commit | memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 1410000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 30E0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 50E0000 memory commit | memory reserve | memory write watch
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: BB0000 memory reserve | memory write watch
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 2820000 memory reserve | memory write watch
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: 4820000 memory commit | memory reserve | memory write watch
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: threadDelayed 1356Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: threadDelayed 3700Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: threadDelayed 4372Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: foregroundWindowGot 1765Jump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exe TID: 3748Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7292Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7308Thread sleep count: 1356 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7308Thread sleep time: -1356000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7776Thread sleep count: 3700 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7308Thread sleep count: 4372 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7308Thread sleep time: -4372000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7384Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7568Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exe TID: 7892Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 8100Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 8184Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\j76l1AiIHm.exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeThread delayed: delay time: 922337203685477
          Source: chargeable.exe, 00000003.00000002.4100993059.0000000001082000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000B.00000002.1829384712.000000000361B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code contains process injector
          Source: 0.2.j76l1AiIHm.exe.324c09c.0.raw.unpack, D.cs.Net Code: Run contains injection code
          Source: 0.2.j76l1AiIHm.exe.8570000.3.raw.unpack, D.cs.Net Code: Run contains injection code
          Source: 2.2.chargeable.exe.35fc2fc.0.raw.unpack, D.cs.Net Code: Run contains injection code
          .NET source code references suspicious native API functions
          Source: 0.2.j76l1AiIHm.exe.324c09c.0.raw.unpack, D.csReference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, *(uint*)(ptr2 + 80), 12288u, 64u)
          Source: 0.2.j76l1AiIHm.exe.324c09c.0.raw.unpack, D.csReference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, *(uint*)(ptr2 + 84), IntPtr.Zero)
          Source: 0.2.j76l1AiIHm.exe.324c09c.0.raw.unpack, D.csReference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
          Source: 2.2.chargeable.exe.366da74.1.raw.unpack, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" Jump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
          Source: chargeable.exe, 00000003.00000002.4102178784.000000000320F000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4102178784.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4102178784.000000000321C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: chargeable.exe, 00000003.00000002.4102178784.000000000320F000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4102178784.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4102178784.000000000321C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\j76l1AiIHm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Disables zone checking for all users
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
          Modifies the windows firewall
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

          Stealing of Sensitive Information

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4102178784.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7268, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7304, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7536, type: MEMORYSTR
          Source: Yara matchFile source: dump.pcap, type: PCAP

          Remote Access Functionality

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.chargeable.exe.366da74.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4102178784.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7268, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7304, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7536, type: MEMORYSTR
          Source: Yara matchFile source: dump.pcap, type: PCAP

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		11
          Registry Run Keys / Startup Folder          		1
          Access Token Manipulation          		1
          Masquerading          		1
          Input Capture          		1
          Security Software Discovery          		Remote Services1
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		212
          Process Injection          		31
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
          Registry Run Keys / Startup Folder          		31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Access Token Manipulation          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script212
          Process Injection          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Obfuscated Files or Information          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425667 Sample: j76l1AiIHm.exe Startdate: 14/04/2024 Architecture: WINDOWS Score: 100 41 doddyfire.linkpc.net 2->41 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 10 j76l1AiIHm.exe 2 6 2->10         started        14 chargeable.exe 2 2->14         started        16 chargeable.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 39 C:\Users\user\AppData\...\chargeable.exe, PE32 10->39 dropped 61 Creates multiple autostart registry keys 10->61 20 chargeable.exe 3 10->20         started        63 Injects a PE file into a foreign processes 14->63 23 chargeable.exe 14->23         started        25 chargeable.exe 2 14->25         started        27 chargeable.exe 16->27         started        signatures6 process7 signatures8 53 Antivirus detection for dropped file 20->53 55 Machine Learning detection for dropped file 20->55 57 Uses netsh to modify the Windows network and firewall settings 20->57 59 2 other signatures 20->59 29 chargeable.exe 3 4 20->29         started        33 WerFault.exe 23 23->33         started        process9 dnsIp10 43 doddyfire.linkpc.net 41.249.48.248, 10000, 49744 MT-MPLSMA Morocco 29->43 65 Disables zone checking for all users 29->65 35 netsh.exe 2 29->35         started        signatures11 process12 process13 37 conhost.exe 35->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          j76l1AiIHm.exe92%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
          j76l1AiIHm.exe90%VirustotalBrowse
          j76l1AiIHm.exe100%AviraHEUR/AGEN.1305435
          j76l1AiIHm.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\confuse\chargeable.exe100%AviraHEUR/AGEN.1305435
          C:\Users\user\AppData\Roaming\confuse\chargeable.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn1%VirustotalBrowse
          http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
          http://www.founder.com.cn/cn0%VirustotalBrowse
          http://www.founder.com.cn/cn/bThe0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          doddyfire.linkpc.net
          		41.249.48.248
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            doddyfire.linkpc.netfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThej76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers?j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.tiro.comj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.krj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cThej76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleasej76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8j76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fonts.comj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleasej76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sakkal.comj76l1AiIHm.exe, 00000000.00000002.1725158208.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  41.249.48.248
                                  		doddyfire.linkpc.netMorocco
                                  		36903MT-MPLSMAfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1425667
                                  Start date and time:2024-04-14 05:16:03 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 28s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:20
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:j76l1AiIHm.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:ED1EA689D80A7FAB60271D8D24267A5B.exe
                                  Detection:MAL
                                  Classification:mal100.phis.troj.spyw.evad.winEXE@19/8@4/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 232
                                  • Number of non-executed functions: 1
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.89.179.12
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:16:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  04:17:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\j76l1AiIHm.exe
                                  04:17:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  04:17:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\j76l1AiIHm.exe
                                  05:17:25API Interceptor1x Sleep call for process: WerFault.exe modified
                                  05:17:44API Interceptor756501x Sleep call for process: chargeable.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  doddyfire.linkpc.netQpcOa13BU1.exeGet hashmaliciousNjratBrowse
                                  • 41.249.108.177
                                  z9gxPEpWws.exeGet hashmaliciousNjratBrowse
                                  • 41.249.108.177
                                  7Hr9O6jK2l.exeGet hashmaliciousNjratBrowse
                                  • 41.249.108.177
                                  tuYTv9rjMX.exeGet hashmaliciousNjratBrowse
                                  • 160.178.39.123
                                  eDafoy5XIk.exeGet hashmaliciousNjratBrowse
                                  • 160.178.39.123
                                  KSqpu62vE4.exeGet hashmaliciousNjratBrowse
                                  • 160.178.39.123
                                  VDPIYNN1uz.exeGet hashmaliciousNjratBrowse
                                  • 160.178.39.123
                                  hzapnLzS07.exeGet hashmaliciousNjratBrowse
                                  • 105.154.98.75
                                  4uiq6wtMeQ.exeGet hashmaliciousNjratBrowse
                                  • 105.155.169.10
                                  TBYtld7aq2.exeGet hashmaliciousNjratBrowse
                                  • 160.176.152.91

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  MT-MPLSMAQpcOa13BU1.exeGet hashmaliciousNjratBrowse
                                  • 41.249.108.177
                                  z9gxPEpWws.exeGet hashmaliciousNjratBrowse
                                  • 41.249.108.177
                                  7Hr9O6jK2l.exeGet hashmaliciousNjratBrowse
                                  • 41.249.108.177
                                  7m7X62tiZr.elfGet hashmaliciousMiraiBrowse
                                  • 41.140.123.140
                                  arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 41.143.204.137
                                  arm.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 41.249.64.245
                                  6UN4xYCTnf.elfGet hashmaliciousMiraiBrowse
                                  • 196.84.14.209
                                  g5FxNXoqH7.elfGet hashmaliciousMiraiBrowse
                                  • 41.140.45.228
                                  Jhp36KuZgS.elfGet hashmaliciousMiraiBrowse
                                  • 41.141.72.131
                                  PLbUBC99tq.elfGet hashmaliciousMiraiBrowse
                                  • 102.78.250.76

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_f5b4a6202a53ee73c263cc4c99e711b13cd935ac_85207d7d_c504f05f-5d11-4b56-951d-b01763bc91d6\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.5828846376739676
                                  Encrypted:false
                                  SSDEEP:96:qGpMfFW0IKY+BvksQhMov7JfqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAQfc:Cs0I3+BvkD0WbkQzuiF2Z24IO8b
                                  MD5:C44084A33E661F161BB18C0386B594FE
                                  SHA1:678ED5A7AE686906DA748544005A38145BBC540F
                                  SHA-256:6FCEF44A41FE7361F6830F3C5DF00C8318DBAE7F172BA26BDD070489256C7594
                                  SHA-512:3B71C07D457D85B387B32D9373ABB4468386BD9930481DFBAB922817E779B08E56CE564E85E066002EEE9FE60990AB5C00DAB4E79E172654562FA3DE5125ED4C
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.5.3.8.2.2.8.3.5.5.2.4.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.5.3.8.2.3.2.6.0.5.2.4.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.0.4.f.0.5.f.-.5.d.1.1.-.4.b.5.6.-.9.5.1.d.-.b.0.1.7.6.3.b.c.9.1.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.6.8.1.d.a.8.-.6.9.5.f.-.4.0.a.9.-.9.9.7.d.-.a.b.e.5.c.2.8.5.c.e.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.8.-.0.0.0.1.-.0.0.1.4.-.1.a.1.3.-.6.5.3.b.1.a.8.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.e.6.a.9.b.c.a.9.9.c.6.c.8.d.1.5.e.f.6.c.3.8.1.e.c.9.9.6.9.d.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.7.0.5.9.a.d.0.f.0.1.d.0.7.8.9.d.8.2.a.2.4.5.7.6.d.1.d.a.3.b.c.e.1.2.0.8.e.2.2.!.c.h.a.r.g.e.a.b.l.e...e.x.e.....T.a.r.g.e.t.A.p.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):6256
                                  Entropy (8bit):3.6941428913701846
                                  Encrypted:false
                                  SSDEEP:96:RSIU6o7wVetbqCw6v1IHYR3VKGtgaMQUt89bpnsfrDm:R6l7wVeJqCw6vwYh8pDt89bpnsfrDm
                                  MD5:DB281DCAC14595E9D2F1E4A549723D57
                                  SHA1:E507DCB5D561E202A6FAAC85E06F53E84BEDA251
                                  SHA-256:67E6C8B10370ECD4A5F79FB1B778C6EDA01584486E41A355200A2B1EEA99F44F
                                  SHA-512:565A38A048FD4F16E626FC56A1B5E4405C85D51714D2230ABABC7CB79154654E3048F7CD71193223903EA8FC17044EBDB348978F3554C4FE56B5C25979B414BA
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.8.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FF.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4578
                                  Entropy (8bit):4.43433329861328
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsSJg77aI9wTWpW8VY7Ym8M4JTEFYx+q8akoTKMw5d:uIjfgI7ii7VzJDxVFw5d
                                  MD5:1B6DC25D21A612664A5F66564901D109
                                  SHA1:55FB1187223659D30AAF3AD394712A7D574847D6
                                  SHA-256:544CE4991DB6CC8A702D4EBE2FEC6DB8AD4435042B5621C8680EB010B3C59337
                                  SHA-512:D590987C52C9946CE8685DF45A0BBE3BCC9C80481DDF5E7609AC3B090A25416FC5FD27B96F2B0C5335F893783A219C490902B975FABFD2262CE2C5B0E373DFC0
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="279019" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):388
                                  Entropy (8bit):5.20595142366915
                                  Encrypted:false
                                  SSDEEP:12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
                                  MD5:2452328391F7A0B3C56DDF0E6389513E
                                  SHA1:6FE308A325AE8BFB17DE5CAAF54432E5301987B6
                                  SHA-256:2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
                                  SHA-512:AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\j76l1AiIHm.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\j76l1AiIHm.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):388
                                  Entropy (8bit):5.20595142366915
                                  Encrypted:false
                                  SSDEEP:12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
                                  MD5:2452328391F7A0B3C56DDF0E6389513E
                                  SHA1:6FE308A325AE8BFB17DE5CAAF54432E5301987B6
                                  SHA-256:2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
                                  SHA-512:AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                  C:\Users\user\AppData\Local\Temp\WERF40F.tmp.WERDataCollectionStatus.txt

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4736
                                  Entropy (8bit):3.239089957182978
                                  Encrypted:false
                                  SSDEEP:96:pwpIikkXkkXEkuguW30Qx0QEw0Qg20QXlO0Qh0QSpeguXO9szeuzSzbxGQI5emB9:pplV+uTwnNoeyOkNT
                                  MD5:BFCF05EA49FEE02EADAFBB7D460FC441
                                  SHA1:291FA0F6244FFDF30EC48285536DB544741792C6
                                  SHA-256:B9F46E90FC9CD6056237E66BD27B1DD01080B503AEF8E2BD1BA822B2F1D2F184
                                  SHA-512:321B16DCD66EBFEF4C325F02989A2697C9E3BCEC5BD4554DCC801C04CC7CB42B51186B533F19E8F698AB30E4FBD49A6D6909D67648F2485A30FADD4285BFBCCF
                                  Malicious:false
                                  Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .3.8.5.6. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .4.5.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.6.4.3.6.3.4. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                  C:\Users\user\AppData\Roaming\confuse\chargeable.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\j76l1AiIHm.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):109056
                                  Entropy (8bit):5.866867534593645
                                  Encrypted:false
                                  SSDEEP:1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoy:w5eznsjsguGDFqGx8egoy
                                  MD5:487F849292C93F358B174826265C2296
                                  SHA1:37059AD0F01D0789D82A24576D1DA3BCE1208E22
                                  SHA-256:0D4242855EE32A2B6BE5B1C271CE2BA2E578D33F28AA740ECED199B3E42E03D2
                                  SHA-512:CE419D5CDE12CCD0A989418802BEA7D6A100DDED1438D2A22628DF70890393CC38E1C3955BE28BD6776D5E9852921B0C72B670170ED30C5741C57B063DF3C1AB
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...dv... ...x.................. ..`.rsrc...H............|..............@..@.reloc..............................@..B.l2.................................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  \Device\ConDrv

                                  Download File
                                  Process:C:\Windows\SysWOW64\netsh.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):313
                                  Entropy (8bit):4.971939296804078
                                  Encrypted:false
                                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                  MD5:689E2126A85BF55121488295EE068FA1
                                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                  Malicious:false
                                  Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.864916382857698
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:j76l1AiIHm.exe
                                  File size:108'992 bytes
                                  MD5:ed1ea689d80a7fab60271d8d24267a5b
                                  SHA1:cbc58903e5ef9a21f32bd86c158039eead84c2e3
                                  SHA256:31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2
                                  SHA512:1ae6c5549c567994c14301f5808bb835084344574b604dbd6b8e0efc208a7b3b96da55030d9e2f406cabb8e0b486f46e87c670d36308006a0a5142e98f9134ec
                                  SSDEEP:1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoe:w5eznsjsguGDFqGx8egoe
                                  TLSH:4EB3EB387D952133C67EC1F689E50A8AEB69223F3191E9ED4CA742C418B2F166DC1D1F
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x41965e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x5B1EAC53 [Mon Jun 11 17:07:31 2018 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x196080x53.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000x400.l2
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x176640x178007acd957f3266ee65ab01391ebf758013False0.46648520611702127data5.649987526076151IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x1a0000x3480x4002f8c2571ca02df8c52b2a03fcee90517False0.37109375data2.7512174114856074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1c0000xc0x2005219651ec1890b5711996a05a6f4ed37False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .l20x1e0000x4000x4008821bc5ab10b630550f47d3029855e20False0.3720703125data2.7512174114856074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x1e0600x2ecdata0.4625668449197861

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  04/14/24-05:17:19.830267TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974410000192.168.2.441.249.48.248
                                  04/14/24-05:20:16.466801TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4974410000192.168.2.441.249.48.248
                                  04/14/24-05:20:16.466801TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4974410000192.168.2.441.249.48.248
                                  04/14/24-05:17:20.392009TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4974410000192.168.2.441.249.48.248
                                  04/14/24-05:17:20.392009TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974410000192.168.2.441.249.48.248

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 14, 2024 05:17:19.300870895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:17:19.750956059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:17:19.751044989 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:17:19.830266953 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:17:20.391782999 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:17:20.392009020 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:17:20.957672119 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:17:26.128421068 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:17:26.133253098 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:17:26.688395977 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:17:44.189363956 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:17:44.190046072 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:17:44.749013901 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:02.589984894 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:02.590769053 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:03.240019083 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:06.607568026 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:07.409876108 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:08.998070955 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:09.649494886 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:16.186690092 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:16.749830961 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:16.749922991 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:17.309498072 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:19.519099951 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:20.078399897 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:20.078578949 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:20.320014000 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:20.320120096 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:20.638978958 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:20.639055967 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:20.877300978 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:20.877424955 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.142781973 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.201649904 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:21.204267025 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.505733013 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:21.506088018 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:21.563874006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:21.564095020 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.618029118 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.618029118 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.873070002 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.925669909 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:21.928081036 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:21.981395960 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:21.982122898 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:22.232228041 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.264089108 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:22.286387920 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.287333965 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.287468910 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:22.538391113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.538475990 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:22.624094009 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.624183893 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:22.850097895 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.850219965 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:22.982034922 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:22.982147932 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:23.289724112 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:23.340893030 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:23.341028929 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:23.599622011 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:23.649648905 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:23.649867058 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:23.899801970 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:23.899996996 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:23.958878040 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:23.958982944 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:24.210217953 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:24.212039948 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:24.320538998 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:24.320771933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:24.584800959 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:24.673863888 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:24.673989058 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:24.940757036 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:24.944317102 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:25.228235006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:25.228431940 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:25.472632885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:25.500380039 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:25.500500917 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:25.789639950 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:25.789726973 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:25.839957952 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:25.840046883 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:26.063230038 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:26.063353062 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:26.195715904 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:26.195847988 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:26.422044992 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:26.554379940 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:26.554521084 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:26.778781891 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:26.778917074 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.028928041 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.113719940 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:27.113832951 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.334750891 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:27.334840059 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.386574984 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:27.386723995 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.648617983 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.670633078 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:27.670692921 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:27.745212078 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:27.745294094 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.005289078 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:28.005542994 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.098114014 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:28.100305080 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.355940104 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.459462881 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:28.460311890 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.652590990 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.714418888 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:28.716378927 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:28.934770107 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.012289047 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:29.013906002 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.074006081 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:29.074100971 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.258977890 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.286487103 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:29.286598921 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.423779964 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:29.423883915 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.618221045 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:29.618316889 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.781898975 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:29.782026052 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:29.962567091 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:30.133435011 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:30.136241913 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:30.322957993 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:30.324413061 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:30.526036978 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:30.683151960 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:30.684370995 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:30.885648012 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:30.889972925 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.159605980 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.245531082 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:31.245623112 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.450690031 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.457087994 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:31.457176924 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.518771887 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:31.518906116 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.733928919 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.808259964 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:31.808372021 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.812869072 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:31.812966108 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:31.874072075 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:31.874171972 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.074664116 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.093795061 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:32.096864939 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.181579113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:32.184696913 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.361789942 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.434324026 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:32.435343981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.450555086 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:32.453847885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.673516989 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.722232103 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:32.722511053 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:32.798307896 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:32.798398018 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.013535023 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.013912916 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.030623913 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.030786037 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.151165009 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.151263952 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.385004044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.389087915 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.389185905 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.595500946 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.745326042 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.745387077 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.747185946 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.747265100 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.830440044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.830440044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:33.949867010 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:33.951915979 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.013310909 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.108335972 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.108549118 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.189958096 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.190141916 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.372195959 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.412014961 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.463979959 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.465358973 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.465449095 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.542767048 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.542862892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.768085003 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.768214941 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:34.905997038 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:34.906088114 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:35.259083033 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:35.261957884 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:35.481818914 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:35.763309002 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:35.817653894 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:35.819889069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:35.840253115 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:36.124918938 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:36.179841995 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:36.856625080 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.328027010 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.405059099 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:37.405153990 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.614538908 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.688363075 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:37.688592911 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.902179003 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.969078064 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:37.969178915 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:37.970016003 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.236574888 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:38.238123894 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.262598991 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.262806892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:38.386269093 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.386471033 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:38.586596012 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:38.591283083 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.736860991 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.736969948 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:38.938497066 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:38.938704014 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:39.138973951 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:39.299642086 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:39.299736023 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:39.476191044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:39.492711067 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:39.492947102 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:39.646791935 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:39.646871090 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:39.820265055 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:39.820352077 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:40.000000954 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:40.000296116 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:40.186919928 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:40.358400106 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:40.360719919 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:40.547832966 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:40.553894043 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:40.777695894 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:40.906810045 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:40.908225060 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.099344969 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.104736090 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.104896069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.137527943 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.137619019 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.368163109 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.455760002 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.455873013 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.457283974 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.495510101 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.495594978 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.695332050 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.727689981 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.727807999 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:41.849670887 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:41.849770069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.038502932 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.047918081 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:42.048017025 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.208466053 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:42.208590031 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.397532940 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:42.397672892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.571702003 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:42.571858883 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.786134005 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:42.929480076 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:42.929572105 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:43.144479036 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:43.149899960 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:43.487611055 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:43.489168882 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:43.706573009 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:43.707885027 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:43.847803116 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:43.847903013 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.106067896 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.208638906 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:44.208765984 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.414778948 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:44.415060997 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.464698076 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:44.464778900 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.730529070 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.776567936 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:44.776766062 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:44.818732023 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:44.818933010 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:45.087658882 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:45.087744951 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:45.176824093 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:45.176932096 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:45.453142881 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:45.533754110 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:45.533878088 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:45.799587965 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:45.812666893 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:45.812768936 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:46.089572906 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:46.089705944 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:46.160864115 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:46.160993099 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:46.366820097 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:46.366883039 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:46.517829895 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:46.518088102 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:46.786026955 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:46.920501947 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:46.920594931 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.144681931 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:47.145514011 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:47.225436926 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.225843906 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.276391983 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:47.276489019 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.532208920 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.532208920 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.582710028 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:47.584522963 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:47.637908936 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:47.641907930 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.886143923 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:47.889614105 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:48.165663004 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:48.202843904 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:48.203001022 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:48.243671894 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:48.243962049 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:48.523678064 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:48.523864985 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:48.599756002 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:48.600016117 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:48.900702953 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:48.958735943 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:48.958955050 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:49.260893106 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:49.260983944 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:49.520519018 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:49.520729065 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:49.738105059 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:49.819741964 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:49.819955111 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.064728975 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.084939957 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.085028887 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.085134983 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.319921970 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.371603966 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.373868942 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.419661045 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.419754028 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.640638113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.641885042 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.681886911 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.685230970 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:50.776823044 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:50.777877092 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.016356945 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.044826031 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:51.045871019 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.338787079 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:51.338907003 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.386657953 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:51.386786938 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.696540117 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:51.722373009 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.722373009 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:51.744641066 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.010308981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:52.010308981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:52.080734015 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.080948114 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:52.081808090 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.200829029 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:52.368726969 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.369766951 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.440810919 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.440947056 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:52.558830976 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:52.724620104 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:52.799962044 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:53.094808102 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:53.094949961 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:53.649692059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:55.219918013 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:55.556761980 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:55.769213915 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:55.779900074 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:55.780083895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:55.914849997 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:55.914947033 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:56.126856089 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:56.126935959 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:56.269727945 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:56.269876957 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:56.516444921 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:56.627619982 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:56.627862930 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:56.871073008 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:56.871292114 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.126571894 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.179887056 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:57.180114985 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.423652887 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.431262970 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:57.431370974 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.485057116 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:57.485160112 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.682463884 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.740995884 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:57.741069078 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.781991005 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:57.782100916 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:57.844197989 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:57.844284058 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.019650936 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.041922092 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.041996956 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.140698910 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.140785933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.356009960 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.375058889 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.375359058 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.396743059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.396828890 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.579823017 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.700999022 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.701484919 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.713097095 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.713201046 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.755023956 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.755080938 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:58.932022095 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:58.932141066 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.063105106 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:59.063201904 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.287667990 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.291039944 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:59.507256985 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.619010925 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:59.619111061 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.645895004 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:59.645962954 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.843943119 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:18:59.866962910 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:18:59.867177963 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.003138065 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:00.003242016 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.196137905 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.204047918 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:00.205878019 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.356751919 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:00.361979961 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.557105064 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:00.559947968 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.712321997 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:00.717885971 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:00.933779001 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:01.118828058 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:01.118954897 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:01.294029951 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:01.294117928 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:01.527508974 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:01.676008940 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:01.676104069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:01.884150982 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:01.884259939 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:01.907135010 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:01.907135010 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.031980991 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.032304049 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.141484022 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.141484022 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.266105890 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.266918898 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.325824976 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.391046047 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.392899036 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.474447012 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.477875948 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.498919010 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.499023914 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.682881117 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.732525110 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.749849081 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.749878883 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.750053883 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:02.857012987 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:02.859922886 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.090869904 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:03.091010094 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.211033106 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:03.211260080 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.413646936 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.568973064 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:03.569096088 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.757395029 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.774178982 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:03.774384975 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:03.973587036 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.114078045 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:04.114332914 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.130119085 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:04.130182981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.333091021 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:04.333206892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.464354038 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.492046118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:04.492153883 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.713572979 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.819926023 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:04.820060015 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:04.849101067 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:04.849241018 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.021631002 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.074306011 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:05.074516058 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.206918955 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:05.207017899 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.377146006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:05.377331972 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.536070108 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.565077066 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:05.565185070 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.742379904 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.893131018 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:05.893224001 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:05.924004078 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:05.924273014 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.101063967 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.101166964 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.257425070 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.443130016 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.444181919 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.444271088 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.462102890 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.613313913 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.613928080 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.613965034 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.614227057 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.617825985 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.785417080 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.785417080 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.801232100 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.802232981 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.802871943 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.930412054 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.930413008 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.969142914 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.970055103 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:06.972142935 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:06.972228050 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.143086910 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.143208981 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.290093899 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.290199995 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.290298939 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.304071903 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.304071903 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.328135014 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.328984022 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.502227068 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.502310038 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.529005051 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.647224903 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.647399902 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.665492058 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:07.665601969 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.828428984 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:07.887229919 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.009174109 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.009251118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.009360075 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.182054043 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.182158947 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.355107069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.366930962 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.367114067 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.507143021 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.507395983 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.711919069 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.712058067 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.722882032 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:08.722954035 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:08.984906912 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.057322979 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:09.057416916 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.079905987 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:09.338619947 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.344707012 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:09.595530033 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.613143921 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:09.613233089 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.715920925 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:09.716042995 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.961136103 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:09.966941118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:10.069147110 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:10.069340944 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:10.320121050 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:10.366422892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:10.366422892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:10.428706884 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:10.669595957 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:10.718950033 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:10.720863104 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:11.024903059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:11.025088072 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:11.384919882 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:11.385062933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:11.513063908 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:11.560282946 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:11.958523035 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:11.958708048 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:12.537751913 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:12.537859917 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:12.743731976 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:12.944446087 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:13.100032091 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:13.100233078 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:13.106184006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:13.304050922 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:13.304271936 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:13.484074116 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:13.660094023 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:13.660286903 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:13.844247103 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:13.844448090 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.023493052 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.207144976 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:14.207247972 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.383117914 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:14.383213043 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.527085066 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:14.527298927 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.739000082 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.740207911 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:14.740304947 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:14.960144997 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.092302084 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:15.092452049 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.099159956 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:15.099251986 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.302172899 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:15.302293062 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.318614960 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:15.320378065 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.457145929 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:15.460165024 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.692918062 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:15.783191919 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:15.784354925 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.004249096 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.021038055 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.051204920 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.051325083 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.281513929 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.341212988 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.341325045 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.364089966 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.364234924 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.545351028 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.620376110 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.620610952 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.641338110 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.641484976 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.721029997 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.721276999 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.904428959 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.904664040 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:16.998384953 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:16.998616934 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.188210011 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.263328075 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:17.263442993 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.464903116 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.546227932 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:17.546365023 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.622081995 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:17.622159958 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.821221113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:17.821506977 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:17.977196932 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:17.977279902 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:18.197789907 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:18.335103989 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:18.338067055 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:18.554239988 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:18.555202961 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:18.768630981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:18.902251959 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:18.905966997 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:18.913191080 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:19.121690989 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:19.129275084 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:19.337949991 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:19.462343931 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:19.462446928 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:19.489027977 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:19.489119053 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:19.673841953 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:19.696091890 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:19.696192026 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:19.844444036 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:19.844696045 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.017874956 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.040410995 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:20.040659904 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.203166962 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:20.203481913 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.378140926 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:20.378259897 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.560961962 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:20.561193943 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.772058010 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:20.919075012 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:20.919282913 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.121844053 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.127401114 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:21.129882097 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.369240046 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.473197937 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:21.473354101 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.489197016 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:21.489295959 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.694319010 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:21.694387913 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.728471041 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:21.728552103 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:21.847278118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:21.847357035 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.041676998 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.085196018 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:22.085272074 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.306119919 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.399998903 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:22.401974916 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.443090916 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:22.445899010 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.723376036 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:22.727229118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:22.807374954 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:22.807478905 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.031573057 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.099482059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:23.101948977 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.299813986 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.369112968 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:23.369204044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.390403986 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:23.390640020 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.617973089 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.658221960 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:23.658370018 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.667188883 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:23.667293072 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.759340048 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:23.759602070 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.976871967 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:23.979979992 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.024127007 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.024355888 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.195682049 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.319083929 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.319175959 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.338041067 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.338135004 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.543637991 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.555962086 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.556191921 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.678065062 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.678208113 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.868762970 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.902426004 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.902766943 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:24.913078070 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:24.913173914 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.128709078 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.227315903 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.229984045 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.261171103 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.261871099 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.473026037 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.487297058 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.489895105 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.587296009 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.588190079 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.802745104 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.817182064 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.817878962 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.831207991 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.833899975 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:25.946135044 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:25.946448088 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.167208910 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:26.167329073 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.193370104 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:26.193439960 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.387485981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.574094057 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.738518953 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:26.738668919 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.740464926 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:26.780213118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:26.780319929 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:26.932307959 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:26.932454109 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.129375935 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.137177944 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:27.137284994 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.353483915 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.488149881 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:27.488257885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.495230913 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:27.495287895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.699528933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.711075068 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:27.711157084 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:27.851964951 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:27.852078915 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:28.053446054 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:28.055011988 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:28.204283953 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:28.205954075 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:28.414172888 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:28.418000937 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:28.772130013 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:28.773896933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:28.972372055 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:28.973927975 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:29.329186916 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:29.329405069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:29.580446959 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:29.580581903 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:29.937388897 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:29.937513113 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:30.501605988 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:31.187799931 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:31.668710947 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:31.749201059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:31.749281883 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:32.027421951 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:32.027549982 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:32.311183929 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:32.311291933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:32.580173016 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:32.580255032 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:32.869158030 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:32.869244099 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:33.132347107 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:33.139292955 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:33.139426947 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:33.430464029 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:33.431703091 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:33.490503073 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:33.493921995 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:33.700376987 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:33.702383995 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:33.790294886 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:33.790503025 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.052414894 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:34.052517891 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.149517059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:34.149718046 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.390305996 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.508487940 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:34.508599043 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.734999895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.748342991 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:34.748451948 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:34.973275900 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.069519997 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:35.069639921 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.093821049 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:35.093914032 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.315443039 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:35.315552950 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.331573009 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:35.331764936 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.451308966 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:35.451457024 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.680527925 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.692440033 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:35.692517996 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:35.934021950 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.011584044 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.011686087 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.041460037 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.041543961 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.249214888 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.249284029 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.292288065 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.292357922 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.398370028 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.398499966 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.590944052 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.649514914 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.649724007 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.907567024 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.940448046 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.940546989 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:36.996408939 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:36.996556044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:37.198088884 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:37.260457993 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:37.260579109 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:37.350599051 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:37.350761890 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:37.555672884 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:37.555773020 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:37.705689907 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:37.705782890 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:37.941442966 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:38.062433004 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:38.062653065 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:38.298324108 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:38.299705029 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:38.526290894 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:38.610635042 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:38.610774994 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:38.655616045 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:38.657903910 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:38.888452053 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:38.889905930 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:39.015089035 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:39.017914057 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:39.277487040 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:39.378523111 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:39.378663063 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:39.636359930 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:39.636445045 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:39.897031069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:39.935527086 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:39.935627937 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.183232069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.184784889 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:40.258462906 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:40.258586884 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.491740942 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:40.491997957 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.535440922 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:40.535567999 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.759393930 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.811557055 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:40.811661005 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:40.894362926 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:40.894465923 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:41.120737076 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:41.120915890 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:41.245369911 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:41.245512009 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:41.602721930 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:41.602956057 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:41.621572971 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:41.621656895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:41.911323071 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:41.975678921 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:41.975785971 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:42.272406101 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:42.273897886 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:42.479142904 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:42.530601025 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:42.533889055 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:42.794301987 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:42.832369089 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:42.832464933 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:42.837766886 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.052582026 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:43.088418961 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.089951038 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:43.152647018 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.154017925 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:43.387653112 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.387903929 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:43.411483049 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.411592007 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:43.511516094 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.511764050 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:43.768367052 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:43.768452883 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.074503899 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:44.074625015 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.334630013 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:44.337924004 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.611717939 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.634496927 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:44.637906075 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.852061987 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.897595882 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:44.897907019 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:44.971837997 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:44.973908901 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.198096991 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.213490963 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.213604927 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.256380081 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.256520033 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.465607882 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.537558079 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.537676096 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.556723118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.556843042 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.613554955 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.613625050 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.825531960 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.825623989 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:45.916646957 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:45.916770935 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:46.167622089 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:46.167761087 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:46.275937080 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:46.276140928 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:46.525652885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:46.636640072 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:46.636791945 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:46.883822918 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:46.883970022 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:47.137193918 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:47.196355104 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:47.196631908 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:47.436697006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:47.436929941 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:47.484503984 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:47.484606981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:47.644649029 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:47.644743919 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:47.842777967 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:47.842910051 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:48.199559927 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:48.199840069 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:48.754611015 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:48.764647961 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:48.764749050 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:49.113792896 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:49.114023924 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:49.323719978 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:49.323913097 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:49.671988964 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:49.672110081 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:49.870659113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:50.232673883 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:50.232795000 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:50.588361025 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:50.656730890 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:50.656819105 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:50.943399906 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:50.943516016 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.161825895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.206792116 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:51.206861973 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.410075903 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.497674942 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:51.497811079 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.519644022 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:51.519800901 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.702323914 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.756429911 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:51.756515026 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.768579006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:51.768659115 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:51.877576113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:51.877686024 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.054852009 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.059741974 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:52.125649929 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:52.125792027 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.321911097 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.413391113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:52.413919926 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.485574007 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:52.485929966 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.679775000 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:52.680938005 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:52.840715885 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:52.840818882 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.140048981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.204576969 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:53.205926895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.426026106 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.494412899 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:53.497963905 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.667011023 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:53.667956114 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.787781000 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:53.790013075 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:53.996366024 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.025824070 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.029412031 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.301012039 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.347788095 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.347907066 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.358623028 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.358758926 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.658706903 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.660623074 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.663558960 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.663558960 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.704849958 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.705261946 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.713689089 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:54.944348097 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:54.944348097 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.021544933 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.022563934 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.063625097 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.063766956 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.276509047 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.301898956 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.301995039 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.521147013 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.617609024 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.617722034 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.630762100 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.630970001 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.856611967 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.856832981 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.879834890 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.880052090 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:55.988676071 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:55.988768101 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:56.236923933 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:56.237266064 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:56.496958971 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:56.550492048 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:56.550570011 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:56.677834034 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:56.677988052 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:56.859668970 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:56.859761000 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:57.036823988 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:57.036926031 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:57.247498989 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:57.393672943 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:57.395971060 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:57.596827030 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:57.600272894 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:57.895005941 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:57.942756891 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:57.943921089 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:58.152425051 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:58.154551983 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:58.253731966 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:58.253958941 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:58.502650023 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:58.502737999 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:58.606811047 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:58.607023954 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:58.897480965 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:58.967885017 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:58.968003035 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:59.261732101 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:59.261910915 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:59.520845890 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:59.521900892 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:59.686785936 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:19:59.689929008 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:19:59.926793098 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.048813105 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.049952984 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.272617102 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.285994053 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.286115885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.582309961 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.612495899 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.612612963 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.630709887 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.630961895 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.843861103 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.844053030 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.940629005 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.940749884 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:00.988656998 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:00.988724947 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.223112106 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.297563076 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:01.297642946 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.550955057 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:01.551048994 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.580923080 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:01.581010103 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.819036961 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.850980997 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:01.851073027 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:01.939053059 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:01.939337015 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:02.167929888 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:02.175937891 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:02.294019938 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:02.297902107 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:02.527954102 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:02.529134035 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:02.866358042 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:02.881048918 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:03.080845118 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:03.081908941 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:03.251053095 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:03.251147985 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:03.540199041 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:03.621916056 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:03.622055054 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:03.830517054 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:03.899844885 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:03.899962902 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.109055042 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.179852009 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.179950953 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.191175938 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.442574978 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.459907055 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.460052967 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.468868017 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.469002008 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.742722988 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.742799044 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.805012941 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.805109024 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:04.824347019 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:04.824525118 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:05.089312077 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:05.165071964 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:05.165235996 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:05.384167910 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:05.384273052 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:05.448297977 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:05.448564053 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:05.719758987 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:05.725189924 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:05.807055950 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:05.807167053 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:06.067008972 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:06.079332113 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:06.079438925 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:06.362855911 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:06.365904093 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:06.438159943 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:06.441905975 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:06.641999006 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:06.645971060 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:06.797954082 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:06.802007914 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:07.162163973 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:07.162309885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:07.713135004 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:07.713238955 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:08.261097908 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:08.261295080 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:08.612710953 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:08.822016001 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:08.822092056 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:08.972111940 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:08.972196102 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:09.331191063 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:09.564071894 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:09.564071894 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:09.824449062 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:09.824449062 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:09.904119015 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:09.925035954 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:09.925096989 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.225166082 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.226979971 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.266108990 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.266271114 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:10.463726997 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:10.626032114 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.626166105 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:10.822252035 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.822357893 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:10.985101938 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:10.985202074 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:11.202405930 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:11.344017029 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:11.346122026 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:11.563077927 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:11.563222885 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:11.920964956 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:14.732265949 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:14.732671022 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:15.290132999 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:16.466800928 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:17.023217916 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:20.769403934 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:20.810401917 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:23.774461985 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:23.825896025 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:26.783551931 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:26.825917006 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:29.802366972 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:29.857186079 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:32.811587095 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:32.857167006 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:35.822427034 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:35.872873068 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:38.830918074 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:38.872832060 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:41.839643002 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:41.888464928 CEST4974410000192.168.2.441.249.48.248
                                  Apr 14, 2024 05:20:44.853898048 CEST100004974441.249.48.248192.168.2.4
                                  Apr 14, 2024 05:20:44.904131889 CEST4974410000192.168.2.441.249.48.248

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 14, 2024 05:17:12.887053967 CEST5819353192.168.2.41.1.1.1
                                  Apr 14, 2024 05:17:13.890094995 CEST5819353192.168.2.41.1.1.1
                                  Apr 14, 2024 05:17:14.904254913 CEST5819353192.168.2.41.1.1.1
                                  Apr 14, 2024 05:17:15.061522007 CEST53581931.1.1.1192.168.2.4
                                  Apr 14, 2024 05:17:15.061785936 CEST53581931.1.1.1192.168.2.4
                                  Apr 14, 2024 05:17:15.073199987 CEST53581931.1.1.1192.168.2.4
                                  Apr 14, 2024 05:17:19.094680071 CEST5700453192.168.2.41.1.1.1
                                  Apr 14, 2024 05:17:19.298480034 CEST53570041.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Apr 14, 2024 05:17:12.887053967 CEST192.168.2.41.1.1.10x4b4dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                  Apr 14, 2024 05:17:13.890094995 CEST192.168.2.41.1.1.10x4b4dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                  Apr 14, 2024 05:17:14.904254913 CEST192.168.2.41.1.1.10x4b4dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                  Apr 14, 2024 05:17:19.094680071 CEST192.168.2.41.1.1.10x6869Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Apr 14, 2024 05:17:15.061522007 CEST1.1.1.1192.168.2.40x4b4dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                  Apr 14, 2024 05:17:15.061785936 CEST1.1.1.1192.168.2.40x4b4dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                  Apr 14, 2024 05:17:15.073199987 CEST1.1.1.1192.168.2.40x4b4dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                  Apr 14, 2024 05:17:19.298480034 CEST1.1.1.1192.168.2.40x6869No error (0)doddyfire.linkpc.net41.249.48.248A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:05:16:49
                                  Start date:14/04/2024
                                  Path:C:\Users\user\Desktop\j76l1AiIHm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\j76l1AiIHm.exe"
                                  Imagebase:0xb50000
                                  File size:108'992 bytes
                                  MD5 hash:ED1EA689D80A7FAB60271D8D24267A5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:05:16:58
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
                                  Imagebase:0xfe0000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.1757433092.0000000003631000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:05:17:02
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Imagebase:0xb20000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.4102178784.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:05:17:04
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
                                  Imagebase:0x620000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:05:17:07
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Imagebase:0x280000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:05:17:07
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Imagebase:0x550000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.1865981643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:05:17:08
                                  Start date:14/04/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 8
                                  Imagebase:0x440000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:05:17:08
                                  Start date:14/04/2024
                                  Path:C:\Windows\SysWOW64\netsh.exe
                                  Wow64 process (32bit):true
                                  Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
                                  Imagebase:0x1560000
                                  File size:82'432 bytes
                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:05:17:08
                                  Start date:14/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:05:17:12
                                  Start date:14/04/2024
                                  Path:C:\Users\user\Desktop\j76l1AiIHm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\j76l1AiIHm.exe"
                                  Imagebase:0xae0000
                                  File size:108'992 bytes
                                  MD5 hash:ED1EA689D80A7FAB60271D8D24267A5B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:05:17:21
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
                                  Imagebase:0x740000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:05:17:24
                                  Start date:14/04/2024
                                  Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                  Imagebase:0xa60000
                                  File size:109'056 bytes
                                  MD5 hash:487F849292C93F358B174826265C2296
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:05:17:29
                                  Start date:14/04/2024
                                  Path:C:\Users\user\Desktop\j76l1AiIHm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\j76l1AiIHm.exe"
                                  Imagebase:0x220000
                                  File size:108'992 bytes
                                  MD5 hash:ED1EA689D80A7FAB60271D8D24267A5B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:18.9%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:90
                                    Total number of Limit Nodes:3
                                    execution_graph 6759 113bd10 6760 113bd32 GetFileVersionInfoW 6759->6760 6762 113bd84 6760->6762 6693 66f10a6 6695 66f10cf SetFileAttributesW 6693->6695 6696 66f10eb 6695->6696 6763 113ad19 6764 113ad5a RegQueryValueExW 6763->6764 6766 113ade3 6764->6766 6787 66f1325 6788 66f135e PostMessageW 6787->6788 6790 66f13a8 6788->6790 6807 66f11e4 6809 66f1206 ShellExecuteExW 6807->6809 6810 66f1248 6809->6810 6819 66f0aa4 6820 66f0ac6 CreateDirectoryW 6819->6820 6822 66f0b13 6820->6822 6767 66f0b60 6769 66f0b86 CreateFileW 6767->6769 6770 66f0c0d 6769->6770 6823 66f0eba 6824 66f0eda WriteFile 6823->6824 6826 66f0f41 6824->6826 6771 66f1078 6773 66f10a6 SetFileAttributesW 6771->6773 6774 66f10eb 6773->6774 6791 113bc4b 6793 113bc82 GetFileVersionInfoSizeW 6791->6793 6794 113bcc7 6793->6794 6713 66f0032 6714 66f0082 VerLanguageNameW 6713->6714 6715 66f0090 6714->6715 6716 113a44e 6717 113a47a SetErrorMode 6716->6717 6719 113a4a3 6716->6719 6718 113a48f 6717->6718 6719->6717 6795 66f0431 6797 66f0462 DrawTextExW 6795->6797 6798 66f04bb 6797->6798 6724 113baf2 6725 113bb18 LoadLibraryW 6724->6725 6727 113bb34 6725->6727 6811 113bab4 6814 113baf2 LoadLibraryW 6811->6814 6813 113bb34 6814->6813 6831 113a5fb 6834 113a622 DuplicateHandle 6831->6834 6833 113a66e 6834->6833 6735 66f1206 6736 66f122c ShellExecuteExW 6735->6736 6738 66f1248 6736->6738 6739 66f0ac6 6741 66f0aec CreateDirectoryW 6739->6741 6742 66f0b13 6741->6742 6743 66f0b86 6745 66f0bbe CreateFileW 6743->6745 6746 66f0c0d 6745->6746 6799 66f0006 6800 66f0032 VerLanguageNameW 6799->6800 6802 66f0090 6800->6802 6835 66f0f83 6836 66f0fbe RegSetValueExW 6835->6836 6838 66f103f 6836->6838 6747 113a622 6748 113a660 DuplicateHandle 6747->6748 6749 113a698 6747->6749 6750 113a66e 6748->6750 6749->6748 6751 66f135e 6752 66f13be 6751->6752 6753 66f1393 PostMessageW 6751->6753 6752->6753 6754 66f13a8 6753->6754 6775 113ac22 6778 113ac52 RegOpenKeyExW 6775->6778 6777 113ace0 6778->6777 6755 66f0eda 6757 66f0f0f WriteFile 6755->6757 6758 66f0f41 6757->6758 6803 66f0d17 6804 66f0d4a GetFileType 6803->6804 6806 66f0dac 6804->6806 6779 113a42a 6782 113a44e SetErrorMode 6779->6782 6781 113a48f 6782->6781 6783 113b42d 6784 113b45e LoadLibraryShim 6783->6784 6786 113b4b8 6784->6786 6815 113a2ac 6816 113a2f6 CreateActCtxA 6815->6816 6818 113a354 6816->6818

                                    Executed Functions

                                    Function 013800D0 Relevance: 9.1, Instructions: 9148COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 13800d0-1381855 480 138185c-1382b7b 0->480 672 1382b82-1388c8d 480->672 1672 1388c94-1388c9c 672->1672 1673 1388ca4-13897f0 1672->1673 1924 13897f7 1673->1924 1925 13897fe-1389804 1924->1925
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4502d90cbee38e9b7edb4ed107311f27882a7c49654bd13ba3d5d67318c3a3ff
                                    • Instruction ID: ef4db8becc09f12e4fff93b0d74e360bbc7b93e5339f22c7c7d1d4179a68cd12
                                    • Opcode Fuzzy Hash: 4502d90cbee38e9b7edb4ed107311f27882a7c49654bd13ba3d5d67318c3a3ff
                                    • Instruction Fuzzy Hash: FF143834601704DFE765DB30C954AEAB3B2EF89304F5188A9D54A6B361CF36AE86CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013800E0 Relevance: 9.1, Instructions: 9140COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1926 13800e0-1381855 2405 138185c-1382b7b 1926->2405 2597 1382b82-1388c8d 2405->2597 3597 1388c94-1388c9c 2597->3597 3598 1388ca4-13897f0 3597->3598 3849 13897f7 3598->3849 3850 13897fe-1389804 3849->3850
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee58e33caa14e2403328856716b2bc280f33847abdc5957951f7f41f94beced9
                                    • Instruction ID: e587be8b371c50d33b692d2425b33500a51a27c102abb7590158560118017b06
                                    • Opcode Fuzzy Hash: ee58e33caa14e2403328856716b2bc280f33847abdc5957951f7f41f94beced9
                                    • Instruction Fuzzy Hash: 9B143834601704DFE765DB30C954AEAB3B2EF89304F5188A9D54A6B361CF36AE86CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013898A0 Relevance: 2.7, Instructions: 2696COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3851 13898a0-138b2cd 4366 138b2d4-138c61c 3851->4366
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1f56c3b7f466522062097b3d5a087019c09d28f08f47892951f01422b2d7194a
                                    • Instruction ID: e3d824fdb3da9d937902a10f468c9900ca6f251cf79c304fc349d9d99d8c7bd8
                                    • Opcode Fuzzy Hash: 1f56c3b7f466522062097b3d5a087019c09d28f08f47892951f01422b2d7194a
                                    • Instruction Fuzzy Hash: F533B6343149118B8606FF21E6606AF6BB7EBC55583988345C91547BC4CF38FEAB8BC9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01389828 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4747 1389828-138982f 4761 1389835 call 10005e0 4747->4761 4762 1389835 call 1000606 4747->4762 4763 1389835 call 13898a0 4747->4763 4748 138983b-1389857 4759 1389859 call 138c630 4748->4759 4760 1389859 call 138c620 4748->4760 4752 138985e-1389862 4753 138987c-138988c 4752->4753 4754 1389864-138986a 4752->4754 4757 1389897-138989a 4753->4757 4755 138986c 4754->4755 4756 138986e-138987a 4754->4756 4755->4753 4756->4753 4759->4752 4760->4752 4761->4748 4762->4748 4763->4748
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Bl$\Bl
                                    • API String ID: 0-3137230522
                                    • Opcode ID: e5a2e9390eb5431bfee705264b49243863b9db1c81e09329bfab224b24ab1f76
                                    • Instruction ID: 53b9e14ae6e82df264719204f61f77081553bdd93950fbe17700b174e65cd837
                                    • Opcode Fuzzy Hash: e5a2e9390eb5431bfee705264b49243863b9db1c81e09329bfab224b24ab1f76
                                    • Instruction Fuzzy Hash: 63F0F632B40320A7D625A2A99C11B7D36DA87CAF58F25403AD601EF7C4DEB1EC0343D9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0B60 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4779 66f0b60-66f0bde 4783 66f0be3-66f0bef 4779->4783 4784 66f0be0 4779->4784 4785 66f0bf4-66f0bfd 4783->4785 4786 66f0bf1 4783->4786 4784->4783 4787 66f0bff-66f0c23 CreateFileW 4785->4787 4788 66f0c4e-66f0c53 4785->4788 4786->4785 4791 66f0c55-66f0c5a 4787->4791 4792 66f0c25-66f0c4b 4787->4792 4788->4787 4791->4792
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 066F0C05
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 1c8751f6a70bdc210903f28f937053f239786a4c317fea2d10148e04744ff8df
                                    • Instruction ID: 4a8c1d93d531a120f2813be47182ab3169ef0712cda914bdf4a15ee8f87605f4
                                    • Opcode Fuzzy Hash: 1c8751f6a70bdc210903f28f937053f239786a4c317fea2d10148e04744ff8df
                                    • Instruction Fuzzy Hash: 7231AF71504380AFE722CF65DD44FA6BFE8EF05624F08889EE9858B652D375E809CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113AC22 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4764 113ac22-113acad 4768 113acb2-113acc9 4764->4768 4769 113acaf 4764->4769 4771 113ad0b-113ad10 4768->4771 4772 113accb-113acde RegOpenKeyExW 4768->4772 4769->4768 4771->4772 4773 113ad12-113ad17 4772->4773 4774 113ace0-113ad08 4772->4774 4773->4774
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0113ACD1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: 6369c9e89111cbad8fccb28d69ac8e9783487dad769014c626a1d33ac35931da
                                    • Instruction ID: a453bcd19e73318888d38315a2306792f51613c6a524c04443f7d1e782f05329
                                    • Opcode Fuzzy Hash: 6369c9e89111cbad8fccb28d69ac8e9783487dad769014c626a1d33ac35931da
                                    • Instruction Fuzzy Hash: E831C072404384AFE7228B25DC44FA7BFBCEF46310F08849AE9849B653D224E84DCB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113AD19 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4795 113ad19-113ad97 4798 113ad99 4795->4798 4799 113ad9c-113ada5 4795->4799 4798->4799 4800 113ada7 4799->4800 4801 113adaa-113adb0 4799->4801 4800->4801 4802 113adb2 4801->4802 4803 113adb5-113adcc 4801->4803 4802->4803 4805 113ae03-113ae08 4803->4805 4806 113adce-113ade1 RegQueryValueExW 4803->4806 4805->4806 4807 113ade3-113ae00 4806->4807 4808 113ae0a-113ae0f 4806->4808 4808->4807
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 0113ADD4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 1120f5556043580cf4cb5291d80d86f1acc6d5a913121e4760371bb48dbcde65
                                    • Instruction ID: c832dae6207ced791081f883b826fcf63915dd350c7ca1c29f2c7a54ae4b0dde
                                    • Opcode Fuzzy Hash: 1120f5556043580cf4cb5291d80d86f1acc6d5a913121e4760371bb48dbcde65
                                    • Instruction Fuzzy Hash: 3131AF755083845FE722CB25DC48FA2BFB8AF46314F08849AE985CB253D364E548CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0F83 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4812 66f0f83-66f0ffb 4815 66f0ffd 4812->4815 4816 66f1000-66f100c 4812->4816 4815->4816 4817 66f100e 4816->4817 4818 66f1011-66f1028 4816->4818 4817->4818 4820 66f105f-66f1064 4818->4820 4821 66f102a-66f103d RegSetValueExW 4818->4821 4820->4821 4822 66f103f-66f105c 4821->4822 4823 66f1066-66f106b 4821->4823 4823->4822
                                    APIs
                                    • RegSetValueExW.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 066F1030
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: Value
                                    • String ID:
                                    • API String ID: 3702945584-0
                                    • Opcode ID: dad8b2517a56626347d469494ae715666bffdcd19b5681f7f13966fdbc851dba
                                    • Instruction ID: caf536be27ce7f0c4977a83714744c4a653017e20c9560b8bac83b3747fd5495
                                    • Opcode Fuzzy Hash: dad8b2517a56626347d469494ae715666bffdcd19b5681f7f13966fdbc851dba
                                    • Instruction Fuzzy Hash: 5B21D2B1504780AFE722CB11CC44FA3FFB8AF06314F08849AE9849B293D664E948C7B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113A2AC Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4827 113a2ac-113a2f3 4828 113a2f6-113a34e CreateActCtxA 4827->4828 4830 113a354-113a36a 4828->4830
                                    APIs
                                    • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0113A346
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: a5816f263487beae24cbcc8a4aa883fd71c0ab7a0151b92636c56a4040a65417
                                    • Instruction ID: 441c2ce01ed643be2b2fc4edb9e1269436589b81713e95e9899c07cc2cce7734
                                    • Opcode Fuzzy Hash: a5816f263487beae24cbcc8a4aa883fd71c0ab7a0151b92636c56a4040a65417
                                    • Instruction Fuzzy Hash: 2821A47150D3C06FD3138B259C51B62BFB8EF87614F0A81DBE884DB693D225A919C7B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0B86 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4831 66f0b86-66f0bde 4834 66f0be3-66f0bef 4831->4834 4835 66f0be0 4831->4835 4836 66f0bf4-66f0bfd 4834->4836 4837 66f0bf1 4834->4837 4835->4834 4838 66f0bff-66f0c07 CreateFileW 4836->4838 4839 66f0c4e-66f0c53 4836->4839 4837->4836 4841 66f0c0d-66f0c23 4838->4841 4839->4838 4842 66f0c55-66f0c5a 4841->4842 4843 66f0c25-66f0c4b 4841->4843 4842->4843
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 066F0C05
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: e321f0fe0f8b920a62bc5ba3dc66c31b3cdc03d2b2fbacc91715ca5676efee61
                                    • Instruction ID: 5c714ebff1e245628d534380fd64c2c24123f20059c3fc0191e120de77608c19
                                    • Opcode Fuzzy Hash: e321f0fe0f8b920a62bc5ba3dc66c31b3cdc03d2b2fbacc91715ca5676efee61
                                    • Instruction Fuzzy Hash: 0221C175600204AFEB60CF65DD44FA6FBE8EF08724F088869EA459B752D375E408CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113AC52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4846 113ac52-113acad 4849 113acb2-113acc9 4846->4849 4850 113acaf 4846->4850 4852 113ad0b-113ad10 4849->4852 4853 113accb-113acde RegOpenKeyExW 4849->4853 4850->4849 4852->4853 4854 113ad12-113ad17 4853->4854 4855 113ace0-113ad08 4853->4855 4854->4855
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0113ACD1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: f785f5e72c723641db885ac86cc3fdc8a63b86b55526979f4c9b654a9587ca92
                                    • Instruction ID: c24984ceb02798a1d46d5ddce2d4ac03cc6aa0b8f951a52f8c44c77bfa4566a6
                                    • Opcode Fuzzy Hash: f785f5e72c723641db885ac86cc3fdc8a63b86b55526979f4c9b654a9587ca92
                                    • Instruction Fuzzy Hash: 4F21CD72500204AFEB219F55ED44FABFBECEF44324F04845AEA45DB642D334E84C8AB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0D17 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4860 66f0d17-66f0d95 4864 66f0dca-66f0dcf 4860->4864 4865 66f0d97-66f0daa GetFileType 4860->4865 4864->4865 4866 66f0dac-66f0dc9 4865->4866 4867 66f0dd1-66f0dd6 4865->4867 4867->4866
                                    APIs
                                    • GetFileType.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 066F0D9D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: ac7bb78119b654cf23da40422d9bc6b2ae698556cc6bcb91159eb8724e8a7f2d
                                    • Instruction ID: c6147fb26ba51ebb4e85c6a269b3360e65b836b1be25335a23d18700f5f9fb5c
                                    • Opcode Fuzzy Hash: ac7bb78119b654cf23da40422d9bc6b2ae698556cc6bcb91159eb8724e8a7f2d
                                    • Instruction Fuzzy Hash: EA21D5B54093846FE7128B51DC44BE2BFB8DF47714F08C0DAE9848B293D268A909C771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0431 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4871 66f0431-66f0486 4873 66f048b-66f049a 4871->4873 4874 66f0488 4871->4874 4875 66f049f-66f04ab 4873->4875 4876 66f049c 4873->4876 4874->4873 4877 66f04ad-66f04b5 DrawTextExW 4875->4877 4878 66f04e5-66f04ea 4875->4878 4876->4875 4880 66f04bb-66f04cd 4877->4880 4878->4877 4881 66f04cf-66f04e2 4880->4881 4882 66f04ec-66f04f1 4880->4882 4882->4881
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 066F04B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: 4b4a151a1f0b1cbe4681c27bf2185ec3ede49a7d5a5e1b71768d55f350d1f017
                                    • Instruction ID: 20ce0d64997a0135344f5a9250a30634cc2b2d3643c62ffd960b53c467f8e192
                                    • Opcode Fuzzy Hash: 4b4a151a1f0b1cbe4681c27bf2185ec3ede49a7d5a5e1b71768d55f350d1f017
                                    • Instruction Fuzzy Hash: 6321A1715087849FDB22CF25DC54B62BFF8EF56210F09849AE9848F663D235E808CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0EBA Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4884 66f0eba-66f0f31 4888 66f0f75-66f0f7a 4884->4888 4889 66f0f33-66f0f53 WriteFile 4884->4889 4888->4889 4892 66f0f7c-66f0f81 4889->4892 4893 66f0f55-66f0f72 4889->4893 4892->4893
                                    APIs
                                    • WriteFile.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 066F0F39
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileWrite
                                    • String ID:
                                    • API String ID: 3934441357-0
                                    • Opcode ID: 3a838b6646c01541a694d22769452e7dbe1ed178095d0be06d81c5125b65cc4e
                                    • Instruction ID: a0cd2f0a5f4bfd14ad6fe533670f80bb28c616f415c9a3c585c044631c04e760
                                    • Opcode Fuzzy Hash: 3a838b6646c01541a694d22769452e7dbe1ed178095d0be06d81c5125b65cc4e
                                    • Instruction Fuzzy Hash: 7321D171405380AFDB22CF51CC44FA7FFB8EF45310F08849AEA449B252C234A508CBB6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113AD5A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4896 113ad5a-113ad97 4898 113ad99 4896->4898 4899 113ad9c-113ada5 4896->4899 4898->4899 4900 113ada7 4899->4900 4901 113adaa-113adb0 4899->4901 4900->4901 4902 113adb2 4901->4902 4903 113adb5-113adcc 4901->4903 4902->4903 4905 113ae03-113ae08 4903->4905 4906 113adce-113ade1 RegQueryValueExW 4903->4906 4905->4906 4907 113ade3-113ae00 4906->4907 4908 113ae0a-113ae0f 4906->4908 4908->4907
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 0113ADD4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 8a968dba7f3e5674c8f13d4758cde7ef8ad5e51d2a6cdfad0aab01b3c8560d8b
                                    • Instruction ID: 2ddd42cbd692dc172b6113d9dfe9b81b734a53ce0e92812a9a07219a22417b11
                                    • Opcode Fuzzy Hash: 8a968dba7f3e5674c8f13d4758cde7ef8ad5e51d2a6cdfad0aab01b3c8560d8b
                                    • Instruction Fuzzy Hash: 1121C076600604AFE721CF15DC88FA6F7ECEF44710F08846AE945CB655D360E448CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113BAB4 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 0113BB2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 145f671bd8a6db40976c30d017ed36f642f837bd7ed62db585b8c9f41396af86
                                    • Instruction ID: db5bedcdba9b8080ee7f2ad9c23b07ca05e8b6610c537b678b559c3dddfd6de2
                                    • Opcode Fuzzy Hash: 145f671bd8a6db40976c30d017ed36f642f837bd7ed62db585b8c9f41396af86
                                    • Instruction Fuzzy Hash: 09215E715093C05FDB128B25DC94B92BFB4DF47214F0984DAE9848F557D265A908CB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0FBE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegSetValueExW.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 066F1030
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: Value
                                    • String ID:
                                    • API String ID: 3702945584-0
                                    • Opcode ID: 06e96556a0f6124083fb7c30f3bbcffc013051f5f62dad474df1e6ac9fe06507
                                    • Instruction ID: 1a3af483a0f1e3625acb98af0fa97ce478ab9d8b6dbf6ca0dc7dab88766ddfe9
                                    • Opcode Fuzzy Hash: 06e96556a0f6124083fb7c30f3bbcffc013051f5f62dad474df1e6ac9fe06507
                                    • Instruction Fuzzy Hash: 9211E172900640EFE7608F11CC40FA2F7ECEF05654F08805AEA059A742D7B4E458CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113B42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0113B4A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: LibraryLoadShim
                                    • String ID:
                                    • API String ID: 1475914169-0
                                    • Opcode ID: 588d4704bf139347b577e05f9d2a000586de3b77aad382cd093ab19242388b44
                                    • Instruction ID: f8411bc21708ecd2a65f1c83b12e27974876fcff6cafe85d6d01584b9b8578cc
                                    • Opcode Fuzzy Hash: 588d4704bf139347b577e05f9d2a000586de3b77aad382cd093ab19242388b44
                                    • Instruction Fuzzy Hash: 13218EB15093845FDB228E25DC45B62BFF8EF46614F08808AE9858B293E365E808CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F1078 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFileAttributesW.KERNELBASE(?,?), ref: 066F10E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: f3a42e876e563444ee55fe977e9ed6696c0530b24563ae98949e796086aa506a
                                    • Instruction ID: 6d443b3435256892f1e9bd2f8554ae7031dbdc31f3dae6e7be78ba64adca388d
                                    • Opcode Fuzzy Hash: f3a42e876e563444ee55fe977e9ed6696c0530b24563ae98949e796086aa506a
                                    • Instruction Fuzzy Hash: 1F2160716092C49FDB518B25DC55B92BFA8EF47220F0884EAE9858F262D279E805CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0006 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 066F0082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: LanguageName
                                    • String ID:
                                    • API String ID: 2060303382-0
                                    • Opcode ID: eec070768cbc0323944f07e514cce28e4fceefeddd57a6a4c4333c8d024340e7
                                    • Instruction ID: 7a2e29e237bd5f77442633cc050f4e30a2528760287b79b03f1d5c213276dc78
                                    • Opcode Fuzzy Hash: eec070768cbc0323944f07e514cce28e4fceefeddd57a6a4c4333c8d024340e7
                                    • Instruction Fuzzy Hash: 9D11DD71504340AFD3118B15DC41FB2BBF8EF86A20F05819AEC489BA42D238B959CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0AA4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNELBASE(?,?), ref: 066F0B0B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: CreateDirectory
                                    • String ID:
                                    • API String ID: 4241100979-0
                                    • Opcode ID: fb16136018ed5f00af830289fea132dd1b0c3f2a37ce0fbc22ca4ac7c7fdd403
                                    • Instruction ID: f530d9cd8bc2b939d6b46caaf1d3b3329c242c2dfab91cec56ecbe02e765083d
                                    • Opcode Fuzzy Hash: fb16136018ed5f00af830289fea132dd1b0c3f2a37ce0fbc22ca4ac7c7fdd403
                                    • Instruction Fuzzy Hash: B1118171A043809FDB51CF25DC94B96FFE8EF46220F0984AAED49CB253D275E904CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0113BCBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileInfoSizeVersion
                                    • String ID:
                                    • API String ID: 1661704012-0
                                    • Opcode ID: 11d9864490745b19c27dc2814ae308b653d6aa0d91e3614aa360a210f7fa9100
                                    • Instruction ID: 638d3a506987cfb24c9908397c304eb3d63e934bdaddf3e3cbb7e6b8e2726f60
                                    • Opcode Fuzzy Hash: 11d9864490745b19c27dc2814ae308b653d6aa0d91e3614aa360a210f7fa9100
                                    • Instruction Fuzzy Hash: 912193B15093849FEB22CF25DC45B52BFB4EF46314F0984DAE9848F163E274A509CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F1325 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 066F1399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: dd08eac9b9e1f71a63244e035a7657039f7119524d901d5d65c943678a8c0b36
                                    • Instruction ID: 8cae779330d4179fdc60465f9ea2b8bce4e628323ae15512799a44e9d880dd3d
                                    • Opcode Fuzzy Hash: dd08eac9b9e1f71a63244e035a7657039f7119524d901d5d65c943678a8c0b36
                                    • Instruction Fuzzy Hash: 92216D725097C09FDB238F25DC44A92FFB4EF17310F0985DAE9848F663D265A818DB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113A666
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 32ebf64454e1fd62987a49089af986cdaee1732cb2ba240874a1ffe1a93d9887
                                    • Instruction ID: 4834ec87ff15082dab35cb8756eb9e2525e7bc2de55bf103cac4951eda21a754
                                    • Opcode Fuzzy Hash: 32ebf64454e1fd62987a49089af986cdaee1732cb2ba240874a1ffe1a93d9887
                                    • Instruction Fuzzy Hash: CB11AF71409780AFDB228F54DC44A62FFF8EF8A310F08889AED858B563D235A418DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F11E4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteExW.SHELL32(?), ref: 066F1240
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID:
                                    • API String ID: 587946157-0
                                    • Opcode ID: 0745bde161fb7b17f4bad8393050382a7daadbd1f016fb75d2a148429952d2e7
                                    • Instruction ID: 05cfd14a505b5a793239dd0f785d9f30e37b5a8896cd8897b4846ffc7948929e
                                    • Opcode Fuzzy Hash: 0745bde161fb7b17f4bad8393050382a7daadbd1f016fb75d2a148429952d2e7
                                    • Instruction Fuzzy Hash: 6B11D0715083809FDB52CF25DC84B52BFB89F46220F0880EBED44CF652D225E948CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0EDA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 066F0F39
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileWrite
                                    • String ID:
                                    • API String ID: 3934441357-0
                                    • Opcode ID: 0f0f1f644f2ed1bb0e606fb823f8ab8a4898581c21b4b6a011781d5d7f35ea3c
                                    • Instruction ID: 7583978f12f79dac71baf92f2e389dea2c47e99fef722fa6532215f8df4c1623
                                    • Opcode Fuzzy Hash: 0f0f1f644f2ed1bb0e606fb823f8ab8a4898581c21b4b6a011781d5d7f35ea3c
                                    • Instruction Fuzzy Hash: 9511EF72500200AFEB61CF51DC44FA6FBA8EF48724F08C45AEE449B652C374A408CBB6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0113BD75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion
                                    • String ID:
                                    • API String ID: 2427832333-0
                                    • Opcode ID: c5f24511667e592f5150706daf0190f5e558b28e4da8e281e44e4039b2a3015a
                                    • Instruction ID: 016a428a0da3338f78075bd70f19f044ca45cc19f7eb8d241fff15331170efa1
                                    • Opcode Fuzzy Hash: c5f24511667e592f5150706daf0190f5e558b28e4da8e281e44e4039b2a3015a
                                    • Instruction Fuzzy Hash: 0B11B6715083809FDB228F15DC44B66FFF8EF85624F08809EED458B653D275E908CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F16B7 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 066F1721
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 71d579b15219da704f61fb314592e0e5c32248594cf9630644c8c225159bc979
                                    • Instruction ID: 880fb33d71aa0dd23dbf73fd68322d124343a7bd2018e30ed2ac5bba4be2d260
                                    • Opcode Fuzzy Hash: 71d579b15219da704f61fb314592e0e5c32248594cf9630644c8c225159bc979
                                    • Instruction Fuzzy Hash: 0011E2715083809FDB228F15DC45B52FFB4EF06324F0884DEED454B663C275A418CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 066F04B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: e49eb736c72f5ddcd3835c89623e8e6fba3d2854c1243cabfe21786d7beaf803
                                    • Instruction ID: 7414e295e2ff453841f0cbe3611635c4d0e847ecd3259b1a365c6413a8453ac1
                                    • Opcode Fuzzy Hash: e49eb736c72f5ddcd3835c89623e8e6fba3d2854c1243cabfe21786d7beaf803
                                    • Instruction Fuzzy Hash: B6117075A10604DFEB60CF15D844B66FBE8EF14720F08C4AAEE458B752D375E418CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0D4A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNELBASE(?,00000E24,1FE0A015,00000000,00000000,00000000,00000000), ref: 066F0D9D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: bc4a49cc9f6e4ce05704ec5d021603ded7bc86e2d412486a6980e72555cd6734
                                    • Instruction ID: ad98bd6c9f0416c64244cfbbca325214c6906e1672a9625af0bfc6af4c13adb8
                                    • Opcode Fuzzy Hash: bc4a49cc9f6e4ce05704ec5d021603ded7bc86e2d412486a6980e72555cd6734
                                    • Instruction Fuzzy Hash: CC01D276910204AEE760CB05DC84BE6FBACDF45724F18C096EE049B742D378F4488BB6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0AC6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNELBASE(?,?), ref: 066F0B0B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: CreateDirectory
                                    • String ID:
                                    • API String ID: 4241100979-0
                                    • Opcode ID: 6c83b62d8f64fca8819def4be38884e0bd0c884639015cc0f1d52454a68b4114
                                    • Instruction ID: cb7f181840225d1ead6bf73626e6e2ce133ee3357a8c296dde746a526cf31579
                                    • Opcode Fuzzy Hash: 6c83b62d8f64fca8819def4be38884e0bd0c884639015cc0f1d52454a68b4114
                                    • Instruction Fuzzy Hash: C211C475A102409FEB90CF25D884BA6FBD8EF05224F08C4AAEE09CF742E375E504CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F10A6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFileAttributesW.KERNELBASE(?,?), ref: 066F10E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: bf4554a664faaf40d3033f71c25b4c6d5389db549a90af3d22d935024c9e62df
                                    • Instruction ID: 83cb5832151f2436262bd8e816ce3fe513f303d56aa7b94d6960c9cd1e07a6e8
                                    • Opcode Fuzzy Hash: bf4554a664faaf40d3033f71c25b4c6d5389db549a90af3d22d935024c9e62df
                                    • Instruction Fuzzy Hash: 9A019276A10244CFEB50CF16DC85766FBD8EF16220F08C4AADD45DB746D678E414CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 0113A480
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: c47a7e1adf8177ff2d3a09712420ba51183ba781095ef0775c0f01e23ae59c87
                                    • Instruction ID: a91984d046dba87cbe2e6ec0d0c10bc6ff7bd811176c202eb85a75c67c654858
                                    • Opcode Fuzzy Hash: c47a7e1adf8177ff2d3a09712420ba51183ba781095ef0775c0f01e23ae59c87
                                    • Instruction Fuzzy Hash: A1018875508384AFD7128F15DC48B62FFB4DF46724F0880DAED855B257D275A808DB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F1206 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteExW.SHELL32(?), ref: 066F1240
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID:
                                    • API String ID: 587946157-0
                                    • Opcode ID: 1acd592c6387ef092ea6798c83874251b36904a4f2eb0e227bdf85faba885407
                                    • Instruction ID: 2884f0a07a37a659b67cbc78fd537ce6598d27cc5bafc1e3267b91c3cd8b918c
                                    • Opcode Fuzzy Hash: 1acd592c6387ef092ea6798c83874251b36904a4f2eb0e227bdf85faba885407
                                    • Instruction Fuzzy Hash: 7001C031A10200CFEB90CF59D884BA6FBD8DF06260F08C0AADD09CB741D235E444CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0113BD75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion
                                    • String ID:
                                    • API String ID: 2427832333-0
                                    • Opcode ID: 77852f2ef16c45ac4774d2e648dd4a9d154d285ae0c7178c6fb0cd56e6a0b2b1
                                    • Instruction ID: 5c691e48ead7838afb101c116891cf7c611e10bd1ce5fe2dec425b12f729116d
                                    • Opcode Fuzzy Hash: 77852f2ef16c45ac4774d2e648dd4a9d154d285ae0c7178c6fb0cd56e6a0b2b1
                                    • Instruction Fuzzy Hash: 0901F5326046008FEB648F1ADC48B5AFBE4EF94724F08C09AED058B756E374E408CF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0113B4A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: LibraryLoadShim
                                    • String ID:
                                    • API String ID: 1475914169-0
                                    • Opcode ID: a6c4f2705a8cd2b0220a1b765c06f08627f8c44e82d42c157dfbf3f91b1f4975
                                    • Instruction ID: 04a61188e5a021a69aa5b5c7dbe7e3ef79fbce389a98f528de93f08db2b3ddcf
                                    • Opcode Fuzzy Hash: a6c4f2705a8cd2b0220a1b765c06f08627f8c44e82d42c157dfbf3f91b1f4975
                                    • Instruction Fuzzy Hash: 600192765046049FEB60CF19DC45B62FBE8EF54620F08C099ED4A8B756E375E408CB7A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113A666
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 5a099db77326478c24e5c2d478d6c3db170b140e82268a01ef233fc8151ad483
                                    • Instruction ID: 04023dcfb138b173f82e331362bdb5fcb8e0f0ce84551e216b8e254514567178
                                    • Opcode Fuzzy Hash: 5a099db77326478c24e5c2d478d6c3db170b140e82268a01ef233fc8151ad483
                                    • Instruction Fuzzy Hash: 5A01C0729006009FDB218F55E844B52FFE4EF88320F08C89AED898B616D335E418DF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0113BCBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: FileInfoSizeVersion
                                    • String ID:
                                    • API String ID: 1661704012-0
                                    • Opcode ID: 3a6208cc90fc3fe00973fa5f0e825fc0ba0d5bc37be1bb4dc91e0bb2a0982832
                                    • Instruction ID: 3c1efc6484414a04819452115fe10a6bed69fa6d5bbf35248f52663b60459b4e
                                    • Opcode Fuzzy Hash: 3a6208cc90fc3fe00973fa5f0e825fc0ba0d5bc37be1bb4dc91e0bb2a0982832
                                    • Instruction Fuzzy Hash: EB01D4719042048FEB20DF19D884766FBE4EF44320F08C4AADD489F346E779E404CB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 066F0082
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: LanguageName
                                    • String ID:
                                    • API String ID: 2060303382-0
                                    • Opcode ID: aecc68341f104f8707bdbc438b746cb264e5f983482267377614336a4dc76595
                                    • Instruction ID: 2fbfd945a7008ed115c3bb2efb59f29d5ac5a85745f3661f7841b21cb124f439
                                    • Opcode Fuzzy Hash: aecc68341f104f8707bdbc438b746cb264e5f983482267377614336a4dc76595
                                    • Instruction Fuzzy Hash: B101A271600200ABD210DF16DD46B66FBE8FB88B20F14811AED089BB41D731F955CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 0113BB2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: b425e9888d05eca7da2fd49ddfc150c9496a78453406eb8ba74de5207b853c48
                                    • Instruction ID: 8a76c05cc5085529be16ecbe3fabc21ff898fbcadd546b44d939fbbcf454bfe8
                                    • Opcode Fuzzy Hash: b425e9888d05eca7da2fd49ddfc150c9496a78453406eb8ba74de5207b853c48
                                    • Instruction Fuzzy Hash: C101D471A042008FDB64CF19D884762FBD4EF44220F08C4AADD089F34EE778E404CA66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0113A346
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 908e4da030614b5a14cd51242177abe974d9a1045f47f7b1d921101471ae8eaf
                                    • Instruction ID: 8065755fe32a1071e864b774796137842746102d4d3b2523381ab37519401e99
                                    • Opcode Fuzzy Hash: 908e4da030614b5a14cd51242177abe974d9a1045f47f7b1d921101471ae8eaf
                                    • Instruction Fuzzy Hash: FE01A271600200ABD210DF16DD46B66FBE8FB88B20F148159EC089BB41D735F955CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F16E6 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 066F1721
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 6f5a5bc267ed782aa4ff44f0a37eecc2d0ec91aaf0d3f5517fd7253ac38dc04e
                                    • Instruction ID: afba94e03c05ca593c7a343623905de421e00c1fe5a9024bd5ba9909794b6815
                                    • Opcode Fuzzy Hash: 6f5a5bc267ed782aa4ff44f0a37eecc2d0ec91aaf0d3f5517fd7253ac38dc04e
                                    • Instruction Fuzzy Hash: 0001B136910600CFDB608F15D844B66FBE4EF15320F08C09AEE494B752D275F418CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 066F135E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 066F1399
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1725119974.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_66f0000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: ce9ce48990c2d7a5c9b58c09b6e8991361416ebbe7ab11daa378f882decb7ce6
                                    • Instruction ID: 5be4ac8d7fcc12f43e94415e9dd5e3ea8e9041d284cdb6aa794a744d339815b6
                                    • Opcode Fuzzy Hash: ce9ce48990c2d7a5c9b58c09b6e8991361416ebbe7ab11daa378f882decb7ce6
                                    • Instruction Fuzzy Hash: C8017C36910604DFEB608F05D844B65FBE0EF19320F08C09ADE450AB56D275E818DAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0113A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 0113A480
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723411424.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_113a000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 2998d28611469a4360bd5760afb299808306b5e458c441e42afae51bbc0f1d13
                                    • Instruction ID: a41628a811da08dd259f76da8fbcfb14f7de88578fe772f40783a11025c24668
                                    • Opcode Fuzzy Hash: 2998d28611469a4360bd5760afb299808306b5e458c441e42afae51bbc0f1d13
                                    • Instruction Fuzzy Hash: 26F081759046448FDB108F05E888761FBA4DF45724F08C09ADD854B756D379E408CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01389819 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Bl
                                    • API String ID: 0-1835725649
                                    • Opcode ID: 903182525c7f3ec8f1a900ff5cd9bf763ea0459512f8b1098da6f61681b3f7f6
                                    • Instruction ID: 75116e46b8a076243a102f2e7800c8dd6d79527d8121c80486964c8697129d1f
                                    • Opcode Fuzzy Hash: 903182525c7f3ec8f1a900ff5cd9bf763ea0459512f8b1098da6f61681b3f7f6
                                    • Instruction Fuzzy Hash: BBF02D327413116BD72663799C01FAD7A958BCAF18F25006AE601EF3D2DEA25C0383D5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0138C7F0 Relevance: .3, Instructions: 256COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a05992e2e77d54014b4c69594d53321272ae22b1bdfa22cab7e30116e5b99de
                                    • Instruction ID: 8d69602a6050ccc4f2ed4c4d9d4bf06fc152ec289236e3a41e37f08a51f887c8
                                    • Opcode Fuzzy Hash: 0a05992e2e77d54014b4c69594d53321272ae22b1bdfa22cab7e30116e5b99de
                                    • Instruction Fuzzy Hash: AE91F131B002028BCB15EB79D9516EEBBA2EF89218F10407AC505AB7D5DF389D4AC7A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0138C630 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e58c1408ddcbf198d53c88a63f354b7adcdb60266ba2bd1877da9d7787363a8c
                                    • Instruction ID: 2f4a1c3b1602feed0a98c6daf7ae9e633aac1b5e72ebe27aa4ffee8476a7fdbd
                                    • Opcode Fuzzy Hash: e58c1408ddcbf198d53c88a63f354b7adcdb60266ba2bd1877da9d7787363a8c
                                    • Instruction Fuzzy Hash: 044124317002154FDB06EBA8C891BFEFBA2AB85718F198576E1049F7C2D630EC4187E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0138C7E1 Relevance: .1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5731a4b0efb38b5c2a48c536c3a09970cebc678f3d045cbe324221674cb174b2
                                    • Instruction ID: cf23a26810255ba8be2656ca1bc60e34f397dc5586dba5f82e00af837e505e7f
                                    • Opcode Fuzzy Hash: 5731a4b0efb38b5c2a48c536c3a09970cebc678f3d045cbe324221674cb174b2
                                    • Instruction Fuzzy Hash: A631B134A003068FCB26EB69D9509FEBFB5FB48328B105126D915D7385EB349D86CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0100076C Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723345516.0000000001000000.00000040.00000020.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1000000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 079c4024b500f19e2233040d10daca99f99e07f12b171a151e20a7b100aa1e2e
                                    • Instruction ID: a472af74ef4a77c2d8f76ec2ec531d378a1628fe54c84f08bccc7396661c4469
                                    • Opcode Fuzzy Hash: 079c4024b500f19e2233040d10daca99f99e07f12b171a151e20a7b100aa1e2e
                                    • Instruction Fuzzy Hash: A0110530608280DFE706CB14C980B25BBE5EB89718F24C59CF58D1BB86C73BD803CA41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01000736 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723345516.0000000001000000.00000040.00000020.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1000000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1a2a0b9a132513726aa5cd3337c0b97b946a543650e8d8c5aef4d1ce1516b297
                                    • Instruction ID: 3b47d834073c620074b247c4d5317a120ce48374e09472742132ee24f5f6305c
                                    • Opcode Fuzzy Hash: 1a2a0b9a132513726aa5cd3337c0b97b946a543650e8d8c5aef4d1ce1516b297
                                    • Instruction Fuzzy Hash: C6215E3550D7C19FD7138B24C960B55BFB1AF47214F1985DED4858B6A3C63A8806CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0138001C Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab95dd90be38e010eed778745661e38c9b3bdb2fe1618f0b7430387aa476cc84
                                    • Instruction ID: 7757a3231960831a42f6d26cecaf1f2993684ba6f952c0db369874dcd7b7f06b
                                    • Opcode Fuzzy Hash: ab95dd90be38e010eed778745661e38c9b3bdb2fe1618f0b7430387aa476cc84
                                    • Instruction Fuzzy Hash: E401CC7550F3D06FD717A77049614A93FB69E1711830F88CBC080CF1B3CA1A989AD3A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 010005E0 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723345516.0000000001000000.00000040.00000020.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1000000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 59ecd244e34f6f51ddae0fb8e42fc29b7bff886cbe4232ad21f6127cd043a743
                                    • Instruction ID: 0687dfe6ca8732ad9d1cf53392c03c92fbe7b7f8abb36b3b0f262bea17c37a2d
                                    • Opcode Fuzzy Hash: 59ecd244e34f6f51ddae0fb8e42fc29b7bff886cbe4232ad21f6127cd043a743
                                    • Instruction Fuzzy Hash: 390126B24083845FC7128B15AC058A2FFF8EE86220709C49FEC888B612D129B909CB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01000828 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723345516.0000000001000000.00000040.00000020.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1000000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction ID: 9df5c45d498a9384e44ecbf4535a0151fa42267c6f56806007176f566175d743
                                    • Opcode Fuzzy Hash: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction Fuzzy Hash: 5BF0FB35548645DFC206CB44D980B15FBA2FB89718F24CAA9E98907756C737D813DB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01000606 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723345516.0000000001000000.00000040.00000020.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1000000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1cdca060d20cf5262651ff80a0e9e6f953c7090153f13337cdabe9ecaeb310c1
                                    • Instruction ID: 56c31959adc5c0526dd477bc6b7dc71c4e10a3a151a6c84f8a3f4d007d64a13c
                                    • Opcode Fuzzy Hash: 1cdca060d20cf5262651ff80a0e9e6f953c7090153f13337cdabe9ecaeb310c1
                                    • Instruction Fuzzy Hash: 91E092B66006044BD750DF0AEC45492F7D8EB88630708C07FDC0D8B701E639B508CAA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013800A0 Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ffd6baeb2a571155b72e87285b6cc27495464d9b8f3fb597de0996e9c4d7f63e
                                    • Instruction ID: 3ba02f7f9b9849e35e7cbe176974515abef4b1db6f91825c6ef80305a21503bf
                                    • Opcode Fuzzy Hash: ffd6baeb2a571155b72e87285b6cc27495464d9b8f3fb597de0996e9c4d7f63e
                                    • Instruction Fuzzy Hash: 42D02222746121538A0E32A82D105EE738E8BD7D347490057F0099B282CF8A0D1302EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01380070 Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 91a5cadca9d141a370fa001df6d17fddaf66d94603da179f29a1d77cdee1c3bb
                                    • Instruction ID: 041e75c0c338011154c045071957ae11f19e1339668b3f0e8fcf2f5654ec6e3c
                                    • Opcode Fuzzy Hash: 91a5cadca9d141a370fa001df6d17fddaf66d94603da179f29a1d77cdee1c3bb
                                    • Instruction Fuzzy Hash: 76C0123A301524630A6D327512255FF728A4F6689C302006BC12A8B341CF0BC95202DA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011323F4 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723398594.0000000001132000.00000040.00000800.00020000.00000000.sdmp, Offset: 01132000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1132000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c1c62486b188533670420067133c620f1034ffd86fab354f7db92f5df3fb203
                                    • Instruction ID: 275af46d0cb59bf41360ac667b571e32459184f576d045408d8bbf7c4398f866
                                    • Opcode Fuzzy Hash: 0c1c62486b188533670420067133c620f1034ffd86fab354f7db92f5df3fb203
                                    • Instruction Fuzzy Hash: 63D02E393006C04FE31AAE0CC2A8B853BE4BB80708F0A00F9E8008B767C728E4C4C200
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011323BC Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1723398594.0000000001132000.00000040.00000800.00020000.00000000.sdmp, Offset: 01132000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1132000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 90a54838a0c9518ab5600ff4744492d7a3c57a16b08f6710b9d47ece8175a7d1
                                    • Instruction ID: 598f30b9aa9d26e61ebab1a7883caf47ab6f59a267553e37005d7661557ce3a8
                                    • Opcode Fuzzy Hash: 90a54838a0c9518ab5600ff4744492d7a3c57a16b08f6710b9d47ece8175a7d1
                                    • Instruction Fuzzy Hash: E4D05E353446814BD719EE0CD2D4F597BD4AB84B15F0644E8AC108B766C7B8D9C4CA00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013800B0 Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3514c55e0c24b3035d109191f091d5282f83bd882b038429d1cd8c63ee36991
                                    • Instruction ID: f632cd19e3c2b3599e8644bae8900086019191bcf7b2b54e24101ec904aabf62
                                    • Opcode Fuzzy Hash: b3514c55e0c24b3035d109191f091d5282f83bd882b038429d1cd8c63ee36991
                                    • Instruction Fuzzy Hash: EAC09B15706535530D1D315D35105ED734D4B97C69745045BD50D57351CF451D5103DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0138C7C0 Relevance: .0, Instructions: 9COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1724370212.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1380000_j76l1AiIHm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0bccbae1e5de78894eb3cdde13288cb186015c7b067a5d2587133741202134cb
                                    • Instruction ID: 6938804ae2f7cdc28a8e41d1d17e3b79c1cbc8e67608531210e4aa76fedb83f6
                                    • Opcode Fuzzy Hash: 0bccbae1e5de78894eb3cdde13288cb186015c7b067a5d2587133741202134cb
                                    • Instruction Fuzzy Hash: A1C0929BA4B2806FC70682245D55BC62F21EB93704FCF40C5A185EB592E18AC94983A3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:19.6%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:54
                                    Total number of Limit Nodes:3
                                    execution_graph 7005 17ca5fb 7006 17ca622 DuplicateHandle 7005->7006 7008 17ca66e 7006->7008 7009 17cbab4 7011 17cbaf2 LoadLibraryW 7009->7011 7012 17cbb34 7011->7012 6922 17cbaf2 6924 17cbb18 LoadLibraryW 6922->6924 6925 17cbb34 6924->6925 7013 17ca2ac 7014 17ca2f6 CreateActCtxA 7013->7014 7016 17ca354 7014->7016 6965 7181009 6966 7181042 PostMessageW 6965->6966 6968 718108c 6966->6968 6981 17cb42d 6982 17cb45e LoadLibraryShim 6981->6982 6984 17cb4b8 6982->6984 6985 17ca42a 6986 17ca44e SetErrorMode 6985->6986 6988 17ca48f 6986->6988 6930 7181042 6931 7181077 PostMessageW 6930->6931 6933 71810a2 6930->6933 6932 718108c 6931->6932 6933->6931 6934 17ca622 6935 17ca698 6934->6935 6936 17ca660 DuplicateHandle 6934->6936 6935->6936 6937 17ca66e 6936->6937 6989 17cac22 6990 17cac52 RegOpenKeyExW 6989->6990 6992 17cace0 6990->6992 6969 7180007 6970 7180032 VerLanguageNameW 6969->6970 6972 7180090 6970->6972 6993 17cad19 6994 17cad5a RegQueryValueExW 6993->6994 6996 17cade3 6994->6996 6973 7180431 6975 7180462 DrawTextExW 6973->6975 6976 71804bb 6975->6976 6946 7180032 6947 7180082 VerLanguageNameW 6946->6947 6948 7180090 6947->6948 6997 17cbd10 6998 17cbd32 GetFileVersionInfoW 6997->6998 7000 17cbd84 6998->7000 6953 17ca44e 6954 17ca47a SetErrorMode 6953->6954 6955 17ca4a3 6953->6955 6956 17ca48f 6954->6956 6955->6954 6977 17cbc4b 6978 17cbc82 GetFileVersionInfoSizeW 6977->6978 6980 17cbcc7 6978->6980

                                    Executed Functions

                                    Function 07180DFA Relevance: 1.6, APIs: 1, Instructions: 69nativethreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4886 7180dfa-7180e02 4887 7180e0c-7180e6b 4886->4887 4888 7180e04-7180e07 4886->4888 4890 7180e6d-7180e75 NtResumeThread 4887->4890 4891 7180ea3-7180ea8 4887->4891 4888->4887 4893 7180e7b-7180e8d 4890->4893 4891->4890 4894 7180eaa-7180eaf 4893->4894 4895 7180e8f-7180ea2 4893->4895 4894->4895
                                    APIs
                                    • NtResumeThread.NTDLL(?,?), ref: 07180E73
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: a0e27f81ace32f71ac47d39cac74d35906c67dc410e1f995f7a364cb2b16ea23
                                    • Instruction ID: 05753d043765c5b81901129b5e7ddb21980d4b9934122f70264cafb0e749d4f3
                                    • Opcode Fuzzy Hash: a0e27f81ace32f71ac47d39cac74d35906c67dc410e1f995f7a364cb2b16ea23
                                    • Instruction Fuzzy Hash: 2E2190B14093C49FDB12CF21DC55BA2BFE0AF16224F1D84DEE9C44F153D266954ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtWriteVirtualMemory.NTDLL ref: 07180F24
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: MemoryVirtualWrite
                                    • String ID:
                                    • API String ID: 3527976591-0
                                    • Opcode ID: b6e3d9cf5a770011a13e75e4be976fa04445bc1399158dc0037d8eb86b9bbc78
                                    • Instruction ID: a8b667de20635516be7f0708598b197d2710d6078422495b71ff1c89f42143ac
                                    • Opcode Fuzzy Hash: b6e3d9cf5a770011a13e75e4be976fa04445bc1399158dc0037d8eb86b9bbc78
                                    • Instruction Fuzzy Hash: 97117271409780AFDB228F55DC44B62FFB4EF4A310F0884DAED858F563D275A518DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtWriteVirtualMemory.NTDLL ref: 07180F24
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: MemoryVirtualWrite
                                    • String ID:
                                    • API String ID: 3527976591-0
                                    • Opcode ID: b7218d39c88dbf5587f72be7be9ac22ae89b8747c415cb57da37620ac455c6ae
                                    • Instruction ID: 321ac619bdf5f7c46f590ae88103013c902114de8ad7e0060747eca620a77a7b
                                    • Opcode Fuzzy Hash: b7218d39c88dbf5587f72be7be9ac22ae89b8747c415cb57da37620ac455c6ae
                                    • Instruction Fuzzy Hash: 4901F172400604DFDB61CF51D884B62FBE0EF19320F08C4AAED498B696D336E008CFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtResumeThread.NTDLL(?,?), ref: 07180E73
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: dcc0d9bdd7cb800234470d0eef018c7694e4ca9bd9a3c55951e8221111cbf297
                                    • Instruction ID: 2b519458c4c3b7d626391107f28ad52a40c66f9ce75fc4ee8b4578c9f363f024
                                    • Opcode Fuzzy Hash: dcc0d9bdd7cb800234470d0eef018c7694e4ca9bd9a3c55951e8221111cbf297
                                    • Instruction Fuzzy Hash: F201D4719042088FDB60DF15D844762FBE4EF19320F08C49ADD449B286D375E408CEA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A00D0 Relevance: 9.1, Instructions: 9148COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 57a00d0-57a00da 1 57a00dc-57a00de 0->1 2 57a00e1-57a1855 0->2 1->2 3 57a00e0 1->3 482 57a185c-57a2b7b 2->482 3->2 674 57a2b82-57a8c8d 482->674 1674 57a8c94-57a8c9c 674->1674 1675 57a8ca4-57a97f0 1674->1675 1926 57a97f7 1675->1926 1927 57a97fe-57a9804 1926->1927
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7467dfff23fee6dba0eb8a1dab78a3bd2b769981fa32b928119cf0c6fccaeecd
                                    • Instruction ID: 76a3fb33ab1f7f8c7d75aae0b2373bb7e5a9448a57431ef40fa7999000b2aae4
                                    • Opcode Fuzzy Hash: 7467dfff23fee6dba0eb8a1dab78a3bd2b769981fa32b928119cf0c6fccaeecd
                                    • Instruction Fuzzy Hash: 81142734600604CFE765DB30C954AEAB3B2FF89304F5188A9D55A6B361CF36AE96CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A00E0 Relevance: 9.1, Instructions: 9140COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1928 57a00e0-57a1855 2408 57a185c-57a2b7b 1928->2408 2600 57a2b82-57a8c8d 2408->2600 3600 57a8c94-57a8c9c 2600->3600 3601 57a8ca4-57a97f0 3600->3601 3852 57a97f7 3601->3852 3853 57a97fe-57a9804 3852->3853
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ea33634ac30ce8a99909fd58f72316d29f142b42896b235fd4c89fd9af05d53
                                    • Instruction ID: 1306c8616fd1860c8936b848259480fdcf8c18d8d7e3bde95037eafc48533886
                                    • Opcode Fuzzy Hash: 1ea33634ac30ce8a99909fd58f72316d29f142b42896b235fd4c89fd9af05d53
                                    • Instruction Fuzzy Hash: F9142734600604CFE765DB30C954AEAB3B2FF89304F5188A9D55A6B361CF36AE96CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A98A0 Relevance: 2.7, Instructions: 2697COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3854 57a98a0-57a98a8 3855 57a98aa 3854->3855 3856 57a98e6-57ab2cd 3854->3856 3857 57a98ac-57a98ad 3855->3857 3858 57a98b1-57a98e1 3855->3858 4373 57ab2d4-57ac61c 3856->4373 3857->3858 3858->3856
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 92e1de318382f3ca137b5cade0ba4ea3a1be1832001f7bb6d8a76ed6d73cc6ef
                                    • Instruction ID: 47c4fb1264c94cfe5013ce4b29c34c8606acea9b0a92f4e55aa55a634fff0475
                                    • Opcode Fuzzy Hash: 92e1de318382f3ca137b5cade0ba4ea3a1be1832001f7bb6d8a76ed6d73cc6ef
                                    • Instruction Fuzzy Hash: 7A33A4297045108B8605FF20E6606AF7BB6FBC85587588345CA0147BC8DF38EE6F9BD6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A9828 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4754 57a9828-57a982f 4767 57a9835 call 18005e0 4754->4767 4768 57a9835 call 1800606 4754->4768 4769 57a9835 call 57a98a0 4754->4769 4756 57a983b-57a9857 4770 57a9859 call 57ac630 4756->4770 4771 57a9859 call 57ac620 4756->4771 4760 57a985e-57a9862 4761 57a987c-57a988c 4760->4761 4762 57a9864-57a986a 4760->4762 4765 57a9897-57a989a 4761->4765 4763 57a986e-57a987a 4762->4763 4764 57a986c 4762->4764 4763->4761 4764->4761 4767->4756 4768->4756 4769->4756 4770->4760 4771->4760
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Bl$\Bl
                                    • API String ID: 0-3137230522
                                    • Opcode ID: 139506d0eded7bf21686aa22e043f2f9e061ae197aab403cfba7dc45b6d4e9b8
                                    • Instruction ID: 56e09bc9abc567c4de9e11ab742eaaab91a7c89c8167db8d2fcde7aeb085fcea
                                    • Opcode Fuzzy Hash: 139506d0eded7bf21686aa22e043f2f9e061ae197aab403cfba7dc45b6d4e9b8
                                    • Instruction Fuzzy Hash: 9EF0F632B0021057C621A2A99C11F6E72D697C9B50F25422AE705EF784DEB1EC0647D5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180CA1 Relevance: 1.6, APIs: 1, Instructions: 121processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4772 7180ca1-7180d1a 4775 7180d1c 4772->4775 4776 7180d1f-7180d25 4772->4776 4775->4776 4777 7180d2a-7180d9c 4776->4777 4778 7180d27 4776->4778 4782 7180de9-7180dee 4777->4782 4783 7180d9e-7180da6 CreateProcessA 4777->4783 4778->4777 4782->4783 4785 7180dac-7180dbe 4783->4785 4786 7180df0-7180df5 4785->4786 4787 7180dc0-7180de6 4785->4787 4786->4787
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,00000E24), ref: 07180DA4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: b7a7233d33482aee213ebef94425978e925e297b66967c7bad15ae98475dbe85
                                    • Instruction ID: fcc8451b15deca9cd289f1d6a1d5c1e465f121be47f8dcc70e551eea2336883c
                                    • Opcode Fuzzy Hash: b7a7233d33482aee213ebef94425978e925e297b66967c7bad15ae98475dbe85
                                    • Instruction Fuzzy Hash: 93418F71104344AFEB22CB65CD41FA2BBF8EF09710F04899AF9859B592D265F949CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180CDA Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4790 7180cda-7180d1a 4792 7180d1c 4790->4792 4793 7180d1f-7180d25 4790->4793 4792->4793 4794 7180d2a-7180d9c 4793->4794 4795 7180d27 4793->4795 4799 7180de9-7180dee 4794->4799 4800 7180d9e-7180da6 CreateProcessA 4794->4800 4795->4794 4799->4800 4802 7180dac-7180dbe 4800->4802 4803 7180df0-7180df5 4802->4803 4804 7180dc0-7180de6 4802->4804 4803->4804
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,00000E24), ref: 07180DA4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: c310c42461647a36e3c310e40df28ab74d1dc26f5ca04469b69a3e476723dd3f
                                    • Instruction ID: d80e89380adb1fddd22c4ed5f0941088a6d000c62cac9cb25ffb6b7657316e6d
                                    • Opcode Fuzzy Hash: c310c42461647a36e3c310e40df28ab74d1dc26f5ca04469b69a3e476723dd3f
                                    • Instruction Fuzzy Hash: 10318EB2200604AFEB31DF61CD41FA6F7ECEB08710F04895AFA459A691D771F548CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CAC22 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4807 17cac22-17cacad 4811 17cacaf 4807->4811 4812 17cacb2-17cacc9 4807->4812 4811->4812 4814 17cad0b-17cad10 4812->4814 4815 17caccb-17cacde RegOpenKeyExW 4812->4815 4814->4815 4816 17cace0-17cad08 4815->4816 4817 17cad12-17cad17 4815->4817 4817->4816
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 017CACD1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: 3f8c6699ab997dbf680aed1d203786fa65a514b466ca29c2e5d7a02bfe5a517f
                                    • Instruction ID: 7d44f7920788fd0548206c86bc50c13acc67ad035fc140763a76673416352891
                                    • Opcode Fuzzy Hash: 3f8c6699ab997dbf680aed1d203786fa65a514b466ca29c2e5d7a02bfe5a517f
                                    • Instruction Fuzzy Hash: 65319171404384AFE7228B25DC45FA7BFBCEF06710F08849AE9859B652D264A94DCB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CAD19 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4822 17cad19-17cad97 4825 17cad9c-17cada5 4822->4825 4826 17cad99 4822->4826 4827 17cadaa-17cadb0 4825->4827 4828 17cada7 4825->4828 4826->4825 4829 17cadb5-17cadcc 4827->4829 4830 17cadb2 4827->4830 4828->4827 4832 17cadce-17cade1 RegQueryValueExW 4829->4832 4833 17cae03-17cae08 4829->4833 4830->4829 4834 17cae0a-17cae0f 4832->4834 4835 17cade3-17cae00 4832->4835 4833->4832 4834->4835
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,ED5250AA,00000000,00000000,00000000,00000000), ref: 017CADD4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 2ff0cec99e3d8765bceda23356d29ac1f94eb5b44deb31a34cd30b4ca146f4d4
                                    • Instruction ID: 6a3553ff532ddae72261da3c884e81724823b6db195f4018ff0a3c6826845c61
                                    • Opcode Fuzzy Hash: 2ff0cec99e3d8765bceda23356d29ac1f94eb5b44deb31a34cd30b4ca146f4d4
                                    • Instruction Fuzzy Hash: 1031A1755097845FE722CF25CC44FA2FFB8AF06710F08849EE9458B293D264E548CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CA2AC Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4839 17ca2ac-17ca2f3 4840 17ca2f6-17ca34e CreateActCtxA 4839->4840 4842 17ca354-17ca36a 4840->4842
                                    APIs
                                    • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 017CA346
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 4dd0c095f54ef76e24741f77d6df008dda148b4f90d5d1b97f70e9cae0254029
                                    • Instruction ID: 56a2d4070f24fc06a0938c0e6b9e0dad60b4f0dd57774dacb0f7c7277baf862b
                                    • Opcode Fuzzy Hash: 4dd0c095f54ef76e24741f77d6df008dda148b4f90d5d1b97f70e9cae0254029
                                    • Instruction Fuzzy Hash: 1F21A47140D7C06FD3138B259C51B62BFB8EF87614F0A81DBE884DB693D225A919C7B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CAC52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4843 17cac52-17cacad 4846 17cacaf 4843->4846 4847 17cacb2-17cacc9 4843->4847 4846->4847 4849 17cad0b-17cad10 4847->4849 4850 17caccb-17cacde RegOpenKeyExW 4847->4850 4849->4850 4851 17cace0-17cad08 4850->4851 4852 17cad12-17cad17 4850->4852 4852->4851
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 017CACD1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: cf387a492a0c2b8a2e313d4a689351860c24186f130d29ee4ec4c3af01429401
                                    • Instruction ID: 8956bf1f09b9a8dd42503f3490bc4619460397650b309387e32da2ba4d70cb55
                                    • Opcode Fuzzy Hash: cf387a492a0c2b8a2e313d4a689351860c24186f130d29ee4ec4c3af01429401
                                    • Instruction Fuzzy Hash: 9521CF72500604AFE7219F15DD44FABFBECEF14724F04845EEA459B642E334E44C8AB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180431 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4857 7180431-7180486 4859 7180488 4857->4859 4860 718048b-718049a 4857->4860 4859->4860 4861 718049c 4860->4861 4862 718049f-71804ab 4860->4862 4861->4862 4863 71804ad-71804b5 DrawTextExW 4862->4863 4864 71804e5-71804ea 4862->4864 4865 71804bb-71804cd 4863->4865 4864->4863 4867 71804ec-71804f1 4865->4867 4868 71804cf-71804e2 4865->4868 4867->4868
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 071804B3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: cdb4fbbe8c4830d7b40ea98d7cade4f55df742c68dc9964a2ccffd9042c083c1
                                    • Instruction ID: 05d4180e2675bb4f0787a50f4cee1e059582d7210bdae5dc18fb8d3cb31653c0
                                    • Opcode Fuzzy Hash: cdb4fbbe8c4830d7b40ea98d7cade4f55df742c68dc9964a2ccffd9042c083c1
                                    • Instruction Fuzzy Hash: 652174715097849FDB22CF25DC44B62BFF4EF4A210F09849AE9858F563D375E908CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CAD5A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4870 17cad5a-17cad97 4872 17cad9c-17cada5 4870->4872 4873 17cad99 4870->4873 4874 17cadaa-17cadb0 4872->4874 4875 17cada7 4872->4875 4873->4872 4876 17cadb5-17cadcc 4874->4876 4877 17cadb2 4874->4877 4875->4874 4879 17cadce-17cade1 RegQueryValueExW 4876->4879 4880 17cae03-17cae08 4876->4880 4877->4876 4881 17cae0a-17cae0f 4879->4881 4882 17cade3-17cae00 4879->4882 4880->4879 4881->4882
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,ED5250AA,00000000,00000000,00000000,00000000), ref: 017CADD4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 51608a57b92a1dbf9d81f5920c238a2c5eb149d7d29d93ebe46cfdc45af5b315
                                    • Instruction ID: f89ede73f65736231b9ada203d8dafd16b4d1265d31f5f0cebbdfd0431011b9b
                                    • Opcode Fuzzy Hash: 51608a57b92a1dbf9d81f5920c238a2c5eb149d7d29d93ebe46cfdc45af5b315
                                    • Instruction Fuzzy Hash: C821C076600608AFE721CF15DC80FA2F7ECEF04B11F08849EE9458B695E760E848CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CBAB4 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4897 17cbab4-17cbb16 4899 17cbb18 4897->4899 4900 17cbb1b-17cbb24 4897->4900 4899->4900 4901 17cbb5c-17cbb61 4900->4901 4902 17cbb26-17cbb46 LoadLibraryW 4900->4902 4901->4902 4905 17cbb48-17cbb5b 4902->4905 4906 17cbb63-17cbb68 4902->4906 4906->4905
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 017CBB2C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 3418eb69e618b24b7c8d0e1c46aa1d70d4f3ccd5ed5ce79ebdc9cc7a2f4f6698
                                    • Instruction ID: 50d39c238eab73726e0b9d8a6dc5ed123dbd3f05aaa3e4829c528cff58ca1323
                                    • Opcode Fuzzy Hash: 3418eb69e618b24b7c8d0e1c46aa1d70d4f3ccd5ed5ce79ebdc9cc7a2f4f6698
                                    • Instruction Fuzzy Hash: 2D218E715093C05FDB128F25DC95B92BFB4DF47214F0984DAE9848F167D265A908CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CB42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4908 17cb42d-17cb488 4910 17cb48d-17cb493 4908->4910 4911 17cb48a 4908->4911 4912 17cb498-17cb4a1 4910->4912 4913 17cb495 4910->4913 4911->4910 4914 17cb4ce-17cb4d3 4912->4914 4915 17cb4a3-17cb4b6 LoadLibraryShim 4912->4915 4913->4912 4914->4915 4916 17cb4b8-17cb4cb 4915->4916 4917 17cb4d5-17cb4da 4915->4917 4917->4916
                                    APIs
                                    • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 017CB4A9
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoadShim
                                    • String ID:
                                    • API String ID: 1475914169-0
                                    • Opcode ID: 4242184017aee825c265dfa3169a0c819f793bf306d9a4b8fe9ee5ab88e022a3
                                    • Instruction ID: 1fd1bf0de315cc759a76dcce4d856902f3dea488584b82e8e09f06422c4721de
                                    • Opcode Fuzzy Hash: 4242184017aee825c265dfa3169a0c819f793bf306d9a4b8fe9ee5ab88e022a3
                                    • Instruction Fuzzy Hash: 3C218EB15097805FDB228E25DC45B62FFF8EF46714F08808EE9848B293E265E908CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180007 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 07180082
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: LanguageName
                                    • String ID:
                                    • API String ID: 2060303382-0
                                    • Opcode ID: 7c0c935f75a652fcb62e86401c821c7baa6ea0288ae7fcdb6946944a6f3b9dd4
                                    • Instruction ID: 4612801a81c1fcc39b5534ce6ed208791b1d6894847a73c730bf8b9090e6de89
                                    • Opcode Fuzzy Hash: 7c0c935f75a652fcb62e86401c821c7baa6ea0288ae7fcdb6946944a6f3b9dd4
                                    • Instruction Fuzzy Hash: 1911B271545340AFD3118B15CC41F72BFF8EF86620F05819AED489B652D274B959CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CBC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 017CBCBF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoSizeVersion
                                    • String ID:
                                    • API String ID: 1661704012-0
                                    • Opcode ID: 83c64313978f4d69b703dd85b1331cfc28a9a003fe099ca29c7ed5a2c8c574ef
                                    • Instruction ID: b0de8478ac81687be284896638d501fe672587a00839c34e5f74b33c6e8d817d
                                    • Opcode Fuzzy Hash: 83c64313978f4d69b703dd85b1331cfc28a9a003fe099ca29c7ed5a2c8c574ef
                                    • Instruction Fuzzy Hash: 4F2190B15093809FEB22CF25DC45B52BFB4EF46710F0984DAE9848F263E274A909CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07181009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 0718107D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 23021fd60f882c6677bd502b944c4d593c0945d59ff1f81e9c892ae253288b91
                                    • Instruction ID: 4a2e79ffd214cc9fb75ab5cd70001b8e6aaaae64ee8c616c9d50f629b28de2d6
                                    • Opcode Fuzzy Hash: 23021fd60f882c6677bd502b944c4d593c0945d59ff1f81e9c892ae253288b91
                                    • Instruction Fuzzy Hash: 8A219D724097C0AFDB238F25DC44A52BFB4EF17210F0985DAE9848F5A3D265A819DB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CA5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CA666
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: ef65a1a0b3f21205dc23e08807d6b3132499d4cb6b0215bad7c4ed90180ed976
                                    • Instruction ID: 2d84f165f1e97c470e77b01e0460c998ccae9155c8f7afc4beb66cc9a3b9b3e2
                                    • Opcode Fuzzy Hash: ef65a1a0b3f21205dc23e08807d6b3132499d4cb6b0215bad7c4ed90180ed976
                                    • Instruction Fuzzy Hash: 9011AF71409780AFDB228F65DC44A62FFF4EF4A310F0888DEED858B563D235A418DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CBD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 017CBD75
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion
                                    • String ID:
                                    • API String ID: 2427832333-0
                                    • Opcode ID: 12c7a68d540b91045f9cd46fa020caadd9fd55ddd8166e4d735c03917ce2aea7
                                    • Instruction ID: 321d0084254db42ac4340a84aeabecf50ed07af1d4bef3d8053058ed407d32bb
                                    • Opcode Fuzzy Hash: 12c7a68d540b91045f9cd46fa020caadd9fd55ddd8166e4d735c03917ce2aea7
                                    • Instruction Fuzzy Hash: 9011B271504780AFDB228F15DC45B62FFF8EF46720F08809EED858B663D261E808CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0718139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 07181405
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 4c3f25d7f050643dd259c4199464b16868f1441871708a5e4106d7a23d092a84
                                    • Instruction ID: 1afcc1278020d33e8c30f270f546f4b37a2893ce85ec033708a3e51e336578f5
                                    • Opcode Fuzzy Hash: 4c3f25d7f050643dd259c4199464b16868f1441871708a5e4106d7a23d092a84
                                    • Instruction Fuzzy Hash: EF11D072409780AFDB228F11DC45B52FFB4EF06224F08849EED858B5A3D265A419DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 071804B3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: b728fe5966d1380d4d683ee5533ba3c565d83e393cd6e0a4ef8ebc888444a8e6
                                    • Instruction ID: 7f228c57f4e827b3cb6c0dff4e8d1f75debee2ca2cd6971b86c6f06b9bfb610c
                                    • Opcode Fuzzy Hash: b728fe5966d1380d4d683ee5533ba3c565d83e393cd6e0a4ef8ebc888444a8e6
                                    • Instruction Fuzzy Hash: F41170B55006089FDB61DF15D844B66FBE8EF08220F08C4AAED458B696D375E408CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CA42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 017CA480
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 476cb4d9b37c1279703a1f534e810ce4dcdaa6fba26ee744838ba5d82ae3ae17
                                    • Instruction ID: 3a51d037441bb47e180f09dab063a926c6251f7be4a9862ff402e6d49f4c0687
                                    • Opcode Fuzzy Hash: 476cb4d9b37c1279703a1f534e810ce4dcdaa6fba26ee744838ba5d82ae3ae17
                                    • Instruction Fuzzy Hash: 7D016175409384AFDB228F15DC44B62FFB8EF46721F08809EED855B257D275A908CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CB45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 017CB4A9
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoadShim
                                    • String ID:
                                    • API String ID: 1475914169-0
                                    • Opcode ID: 9ad08fb9019986df6aa4c0eedf59d56b412d1309fa47990a1e67b73bbe6c3b7a
                                    • Instruction ID: 7f1707d443e227ddf7ee4353713ccbf62dbded37281669dde48be06e93912173
                                    • Opcode Fuzzy Hash: 9ad08fb9019986df6aa4c0eedf59d56b412d1309fa47990a1e67b73bbe6c3b7a
                                    • Instruction Fuzzy Hash: 78016D765046008FEB60CE19D846B62FBE8EF14B61F08809DED498B656E375E508CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CBD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 017CBD75
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion
                                    • String ID:
                                    • API String ID: 2427832333-0
                                    • Opcode ID: a1f28e8dba73dae6d961c0d18852d882fb3554ff964afbc43362e1b0b90c291b
                                    • Instruction ID: 137f78eaa044803112d400517b37d218d74659fdf9a212fc074b26657721593c
                                    • Opcode Fuzzy Hash: a1f28e8dba73dae6d961c0d18852d882fb3554ff964afbc43362e1b0b90c291b
                                    • Instruction Fuzzy Hash: 4601B5765006008FDB618F1ADC45B56FBE4EF18721F08C09EED458B752D275E448CFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CA622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CA666
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 55f1ed3fd2173e0e6494daf32db2b50a369ebe091e0049af00f8910090430c5e
                                    • Instruction ID: d01f32410e2f92efcb29d134f4dd66b0409a3f5e9ddca3be0100039860ad6191
                                    • Opcode Fuzzy Hash: 55f1ed3fd2173e0e6494daf32db2b50a369ebe091e0049af00f8910090430c5e
                                    • Instruction Fuzzy Hash: 8501AD329006049FDB218F55D844B66FBE4EF48721F08C89EEE895B656E335E418CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CBC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 017CBCBF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoSizeVersion
                                    • String ID:
                                    • API String ID: 1661704012-0
                                    • Opcode ID: c9431622dda91e09b4ebe624ddf61d0790e18c4d280f5d04e59b727c2c3f7829
                                    • Instruction ID: 40ee225f2454b55cc9dbe63c1b9c39bd9a3649a448d4977964b337d8460d4e97
                                    • Opcode Fuzzy Hash: c9431622dda91e09b4ebe624ddf61d0790e18c4d280f5d04e59b727c2c3f7829
                                    • Instruction Fuzzy Hash: 5B01B1719002408FEB20CF1AD885766FBE4EF14720F08C4AEED499B346E675E404CAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07180032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 07180082
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: LanguageName
                                    • String ID:
                                    • API String ID: 2060303382-0
                                    • Opcode ID: fc08922f93d40f6a49cbd0c0e07ed54f2dad0be165f87a63702fd63b0677255e
                                    • Instruction ID: 79258526af4310617f701c28e54bda3063c79a04f7b2d2209acf31d86a20c728
                                    • Opcode Fuzzy Hash: fc08922f93d40f6a49cbd0c0e07ed54f2dad0be165f87a63702fd63b0677255e
                                    • Instruction Fuzzy Hash: 2F01A271500600ABD210DF16CD46B66FBE8FB88A20F14C15AED089BB81E731F959CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CA2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 017CA346
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 2570a250689f0a19a68bd2b20b0a99978399daa97518a5d1f4e06a211353e457
                                    • Instruction ID: ad3ef3b3cf1dada2ebdbd224a3a800cf878ddb0d391210570408da70d608f841
                                    • Opcode Fuzzy Hash: 2570a250689f0a19a68bd2b20b0a99978399daa97518a5d1f4e06a211353e457
                                    • Instruction Fuzzy Hash: B601A271500600ABD210DF16CD46B66FBE8FB88A20F148159ED089BB81E731F959CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CBAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 017CBB2C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 15b74f3c434f8fdccb7bd66cd42ef766e0cf9f7c7127771e95ec32b228ec8780
                                    • Instruction ID: 8d315c8f72f5a09d747c430997dc1bd95f2fc52c0c8fec96263c2c97469315a8
                                    • Opcode Fuzzy Hash: 15b74f3c434f8fdccb7bd66cd42ef766e0cf9f7c7127771e95ec32b228ec8780
                                    • Instruction Fuzzy Hash: E80184719002408FDB60CF19D885762FBE4EF44721F08C4EEED499F75AD275E408CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 071813CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 07181405
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: bf2aec170cd04167a6368c49c79516fd300cba185b9e57a0d52828952d2fceb0
                                    • Instruction ID: e636be369fc9c2edc16444e09b5e8cc397257daf44885911db3cbad106b33ff0
                                    • Opcode Fuzzy Hash: bf2aec170cd04167a6368c49c79516fd300cba185b9e57a0d52828952d2fceb0
                                    • Instruction Fuzzy Hash: 2C019E765006049FDB618F16D844B65FBA4EF15220F08C09EED454A692D375E458DEA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07181042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 0718107D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1758532623.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7180000_chargeable.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: cf85d2a7cdd114dcb9bc9a6f3ae512cd3965c8989c09a42ca54cd2591cec3a93
                                    • Instruction ID: 3001ee968c2dd10e2a0c342153011935c54da701c21d5678639649a2d0819bd3
                                    • Opcode Fuzzy Hash: cf85d2a7cdd114dcb9bc9a6f3ae512cd3965c8989c09a42ca54cd2591cec3a93
                                    • Instruction Fuzzy Hash: 1C01DF76800644DFDB608F02DC44B61FBE0EF19220F18C09EDD490B692D375E408DFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017CA44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 017CA480
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756949246.00000000017CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17ca000_chargeable.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 64bcd9877b061082b78a8fa834ea92cf00b5b177dbc67c08e0711005355abd92
                                    • Instruction ID: ffe67ebfc632ea1e7e9987eb08f0cccd41ee1b48a7ac8080a849162cd8563abd
                                    • Opcode Fuzzy Hash: 64bcd9877b061082b78a8fa834ea92cf00b5b177dbc67c08e0711005355abd92
                                    • Instruction Fuzzy Hash: 23F081759046488FDB108F09D888761FBA4EF15721F08C0DEDD454B756E279E508CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A9819 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Bl
                                    • API String ID: 0-1835725649
                                    • Opcode ID: d04998eb222f8d0f3e90cdefa64989a63df74d56ec7636a6be14accc5dc0bf3e
                                    • Instruction ID: 540f42ce44316102d99582ff5e145d7bf78823746bfc5e80f62d3fc1859b344c
                                    • Opcode Fuzzy Hash: d04998eb222f8d0f3e90cdefa64989a63df74d56ec7636a6be14accc5dc0bf3e
                                    • Instruction Fuzzy Hash: 46012D33B053105BC72253699C01F7E76969BCAB10F25026AE301EF392CE61AC1693D5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057ACDBD Relevance: 1.3, Instructions: 1285COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56e5d1fff0f46a93f0796e7c9a3a5694d911d626a20bb369d0a8893b84370ab8
                                    • Instruction ID: 8b03a0c82c64723547f6c0f764f5930c90c9e4c37a165d8f4e7de553af9506c5
                                    • Opcode Fuzzy Hash: 56e5d1fff0f46a93f0796e7c9a3a5694d911d626a20bb369d0a8893b84370ab8
                                    • Instruction Fuzzy Hash: 9CB13975E002199FDB14CBA8C984BAEFBF6FF88310F258169E515AB791DB319C42CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057AC7F0 Relevance: .3, Instructions: 256COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b0b29bedf68335b72e3bd22dbe4776ce6497b59f718f96b92af409782017fb6
                                    • Instruction ID: d5c34887e8d4792bdbda4ceb51608bec7a2fae6b83ef2e856cfa8217201a2592
                                    • Opcode Fuzzy Hash: 6b0b29bedf68335b72e3bd22dbe4776ce6497b59f718f96b92af409782017fb6
                                    • Instruction Fuzzy Hash: 5791D132F002059BCB15DB74C961AAEB7A6FFC8218F10816AD506AB791DF38DD09C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057AC630 Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef4df260055c2d70ad6950090fb571bc6f4b356aeb5a02582891ed9fdeb5c151
                                    • Instruction ID: 53ab45693b0e482424ac9836a418347438c61a36cd9794dcbab3ca047f5c38a1
                                    • Opcode Fuzzy Hash: ef4df260055c2d70ad6950090fb571bc6f4b356aeb5a02582891ed9fdeb5c151
                                    • Instruction Fuzzy Hash: 7C411436700115AFDB07DBA8C891FBEFBAAABC5704F158669E1048F386D630EC0197E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057ACB00 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c322b57fadde001a0f544d2a9e9e2ed6ee5461f37cc7b96e6d99192056a01c51
                                    • Instruction ID: 25e115851568b26b632609eb1081029982e17302edaf29e322b6abe2d11ef3b1
                                    • Opcode Fuzzy Hash: c322b57fadde001a0f544d2a9e9e2ed6ee5461f37cc7b96e6d99192056a01c51
                                    • Instruction Fuzzy Hash: 1C31D632B04205DBDB269B7884587BE7AEB6BC8210F14823DE402EB741DF718C05AB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057AC7E1 Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b1bc3e2557b2ca510130c430d1b22971a07eadc9b09408f26a324a2a6b47b35
                                    • Instruction ID: 0008cad88290fe29bb16a3f63bba3c084ff94cae2c8435c063f58fe65db62906
                                    • Opcode Fuzzy Hash: 2b1bc3e2557b2ca510130c430d1b22971a07eadc9b09408f26a324a2a6b47b35
                                    • Instruction Fuzzy Hash: 1C31E636E04206DFCB16DB68D9549BEBBFAFF88314B104225E80197344DB34ED44DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057AC77F Relevance: .1, Instructions: 91COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef16f722e918500413467313abd6a510a55f10d752c49ab7d35916fd8161a801
                                    • Instruction ID: be4b7f475d5f2a16c74d486a92b5125906867823c49655660034bb5fb2b72a11
                                    • Opcode Fuzzy Hash: ef16f722e918500413467313abd6a510a55f10d752c49ab7d35916fd8161a801
                                    • Instruction Fuzzy Hash: 5E31B235B042029FCB16DB68DA509BEB7E6FF88318B104269E44297784DB34ED54EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057ACC9F Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2d6716594becd04e1d3b42f0fe8318b7908332007c1ac15d00b79b96d1e9228
                                    • Instruction ID: 2f4b0e36fdaa2eab2307b187d92d3d454c500df639c1ff3a8a26577fe5bd30fc
                                    • Opcode Fuzzy Hash: b2d6716594becd04e1d3b42f0fe8318b7908332007c1ac15d00b79b96d1e9228
                                    • Instruction Fuzzy Hash: 8621AE72E002299FDB15DBB48852AEEFBBAEFC9214F14457EE501B7244DB314D05CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A0007 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: df03a2e2c64f82cc2e8d86d305adf337dee63613ffa5a7d91e690bad5b1cd9f2
                                    • Instruction ID: 9e99b1238b6fc3beead6bec907cba7fbca3f294a02c579bea0d376cb41e32653
                                    • Opcode Fuzzy Hash: df03a2e2c64f82cc2e8d86d305adf337dee63613ffa5a7d91e690bad5b1cd9f2
                                    • Instruction Fuzzy Hash: 8611EE6650E3C05FC7235770882A696BF729E6721470F45EBC0C4CB1A3EA0D884A93A7
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0180076C Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757182569.0000000001800000.00000040.00000020.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_1800000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a5423a0de60651ee869cc651995f50a1eedc392587204f2b8520f1816645eaa5
                                    • Instruction ID: 97534350310f237ba5db5a413a4f77554090fc4a7463891745d63afa9f197927
                                    • Opcode Fuzzy Hash: a5423a0de60651ee869cc651995f50a1eedc392587204f2b8520f1816645eaa5
                                    • Instruction Fuzzy Hash: 84112430208288DFD756CB14CD80B26BBA5EB89718F24C59CF5499BB83C73BD903CA81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01800734 Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757182569.0000000001800000.00000040.00000020.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_1800000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8298f3a2a92d309b85d5e547343707568fa748710147bbaad7c2d8eaff4e2246
                                    • Instruction ID: 0b32c9a5a698e7521b7b4656ca06ed315d43c8d73f095aa0be4be21269a9b3cd
                                    • Opcode Fuzzy Hash: 8298f3a2a92d309b85d5e547343707568fa748710147bbaad7c2d8eaff4e2246
                                    • Instruction Fuzzy Hash: 8521583550D3C88FC7538B24D990B51BFB1AB5B314F1986DEE4858B6E3C33A8906CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018005E0 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757182569.0000000001800000.00000040.00000020.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_1800000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be62284663e4b1efd4fcad76fd680c8589b21b67edac3d2b25e6dbe00fba90b6
                                    • Instruction ID: a6e26c2cc70444c8b2d2336660ab9bb27d4f308c9f9fc994a3848ba2560718d4
                                    • Opcode Fuzzy Hash: be62284663e4b1efd4fcad76fd680c8589b21b67edac3d2b25e6dbe00fba90b6
                                    • Instruction Fuzzy Hash: 7701F9765097806FD712CF16AC40862FFB8EF86160709C1AFFC8987652D225B808CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01800828 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757182569.0000000001800000.00000040.00000020.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_1800000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction ID: 2a905f8efd0be33a4e77e288bd72cdcb7b52d3871ca70c217dbe3a14f41c6c96
                                    • Opcode Fuzzy Hash: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction Fuzzy Hash: ABF0FB35148648DFC216CB44D980B15FBA2EB89718F24CAA9E94907752C737D912DA81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01800606 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757182569.0000000001800000.00000040.00000020.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_1800000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8ebdf1fc6fc26f028a61795af0eed9d0f82bc640963d57e97b57f58b7138b460
                                    • Instruction ID: 48b5d5e14ab8f3d498a423908d51dc5d8c7f396753e3cf21ff7b2fc27e0e5c6f
                                    • Opcode Fuzzy Hash: 8ebdf1fc6fc26f028a61795af0eed9d0f82bc640963d57e97b57f58b7138b460
                                    • Instruction Fuzzy Hash: 1CE092B66046044B9750CF0BEC41462F7E8EB98631708C07FDC0D8B701E635B508CAA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A00A0 Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43609369e4437940a37c736a49ce1b3265299188d9cd5565dca84a411b5eb303
                                    • Instruction ID: 72dcdc5417b61c2a5d01712cfff55b9c2099276bec1282945ff7d54f44050361
                                    • Opcode Fuzzy Hash: 43609369e4437940a37c736a49ce1b3265299188d9cd5565dca84a411b5eb303
                                    • Instruction Fuzzy Hash: 5CD02313744524635D0731993C18DFF739D4BD3C20745005BE405972C3CE880D5292DA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A0070 Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f21c1c9d2bb9273c9a86598a7e352e51ceb9b0402421a1730f61d7b229a9b879
                                    • Instruction ID: 1fdb808203bb933cf9f5a451ef4365363420c4020ab21954f1973734550417b9
                                    • Opcode Fuzzy Hash: f21c1c9d2bb9273c9a86598a7e352e51ceb9b0402421a1730f61d7b229a9b879
                                    • Instruction Fuzzy Hash: D4C08036304528130F6A327515250FFB25A4E56498303007FD22E8B341CF0FDD5202EE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017C23F4 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756926338.00000000017C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17c2000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fae87b4c7cc003e4d94a543b2f8f7cf55afb5812a6bcba4dddc8dee9fc1fccce
                                    • Instruction ID: 6deadeb4783268e429af888ea30d622ab7df1aead645a89b9ed0d30cfb7bb6c2
                                    • Opcode Fuzzy Hash: fae87b4c7cc003e4d94a543b2f8f7cf55afb5812a6bcba4dddc8dee9fc1fccce
                                    • Instruction Fuzzy Hash: 59D02E3A3006C04FE3168E0CC2A8B85BBE4BB40B08F0A00FDA8008B763C728DAC4C200
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017C23BC Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1756926338.00000000017C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_17c2000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0e51a0c5a288f2019731f52997b5f62a55b490a619e46167c640ec6c230ad27
                                    • Instruction ID: 845af96d861456a369321ee5aba182a3b82d369fe22f9526418050cb47de401b
                                    • Opcode Fuzzy Hash: e0e51a0c5a288f2019731f52997b5f62a55b490a619e46167c640ec6c230ad27
                                    • Instruction Fuzzy Hash: 0BD05E343406814BD715DE0CD2D4F597BD4AB40B15F0644ECAC108B762C7A8D9C4CA00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057A00B0 Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 441c92ef0bf535449a3eab633e991e7940c29c18a0591c1fac4005e7b7b4d123
                                    • Instruction ID: a40599cf2379c87aff3fe54aa128b019d3933118fa6bd703dee8ef7ccebecb52
                                    • Opcode Fuzzy Hash: 441c92ef0bf535449a3eab633e991e7940c29c18a0591c1fac4005e7b7b4d123
                                    • Instruction Fuzzy Hash: E2C02B1130043C130D0F315C38140FDB34D4987C20300001FD10947380CE450D0143DE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057AC7C0 Relevance: .0, Instructions: 9COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1757819418.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_57a0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05bcbe4e1f7bce03d833078cd5fc2841dd284fde50614d5d20154261a8fa245b
                                    • Instruction ID: f221021df5da80e56af6c80e70a322c0e6b4c54cbedf28539f98545f81ef7fe0
                                    • Opcode Fuzzy Hash: 05bcbe4e1f7bce03d833078cd5fc2841dd284fde50614d5d20154261a8fa245b
                                    • Instruction Fuzzy Hash: 7BC09B5754E1845FD70351241C546653F6559D22157DF40D55055C7553E15848095352
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:14.4%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:2.3%
                                    Total number of Nodes:130
                                    Total number of Limit Nodes:5
                                    execution_graph 6855 54e2c8e 6856 54e2cb7 select 6855->6856 6858 54e2cec 6856->6858 6859 54e0c8a 6860 54e0cbf GetProcessTimes 6859->6860 6862 54e0cf1 6860->6862 6863 52e0b68 KiUserExceptionDispatcher 6864 52e0b9c 6863->6864 6743 131afba 6744 131b030 6743->6744 6745 131aff8 DuplicateHandle 6743->6745 6744->6745 6746 131b006 6745->6746 6865 131a7fa 6866 131a832 RegOpenKeyExW 6865->6866 6868 131a888 6866->6868 6873 131a2fe 6874 131a32a SetErrorMode 6873->6874 6876 131a353 6873->6876 6875 131a33f 6874->6875 6876->6874 6747 54e12de 6749 54e1307 LookupPrivilegeValueW 6747->6749 6750 54e132e 6749->6750 6751 54e145e 6753 54e148d AdjustTokenPrivileges 6751->6753 6754 54e14af 6753->6754 6877 54e071e 6879 54e0756 MapViewOfFile 6877->6879 6880 54e07a5 6879->6880 6755 131ba22 6758 131ba57 GetFileType 6755->6758 6757 131ba84 6758->6757 6881 131bce2 6883 131bd17 ReadFile 6881->6883 6884 131bd49 6883->6884 6759 54e15da 6762 54e160f GetExitCodeProcess 6759->6762 6761 54e1638 6762->6761 6885 54e179a 6887 54e17cf SetProcessWorkingSetSize 6885->6887 6888 54e17fb 6887->6888 6763 52e10b6 6764 52e0d9a 6763->6764 6769 52e1170 6764->6769 6774 52e1183 6764->6774 6779 52e1152 6764->6779 6784 52e10e8 6764->6784 6770 52e1177 6769->6770 6771 52e124c 6770->6771 6789 52e1aff 6770->6789 6793 52e1b10 6770->6793 6771->6771 6775 52e118a 6774->6775 6776 52e124c 6775->6776 6777 52e1aff 2 API calls 6775->6777 6778 52e1b10 2 API calls 6775->6778 6777->6776 6778->6776 6780 52e1159 6779->6780 6781 52e124c 6780->6781 6782 52e1aff 2 API calls 6780->6782 6783 52e1b10 2 API calls 6780->6783 6782->6781 6783->6781 6785 52e1123 6784->6785 6786 52e124c 6785->6786 6787 52e1aff 2 API calls 6785->6787 6788 52e1b10 2 API calls 6785->6788 6787->6786 6788->6786 6790 52e1b3b 6789->6790 6791 52e1b7c 6790->6791 6797 52e20b0 6790->6797 6791->6771 6794 52e1b3b 6793->6794 6795 52e1b7c 6794->6795 6796 52e20b0 2 API calls 6794->6796 6795->6771 6796->6795 6798 52e20e5 6797->6798 6802 54e1236 6798->6802 6805 54e11e4 6798->6805 6799 52e2120 6799->6791 6803 54e1286 GetVolumeInformationA 6802->6803 6804 54e128e 6803->6804 6804->6799 6806 54e1204 GetVolumeInformationA 6805->6806 6808 54e128e 6806->6808 6808->6799 6889 131abee 6890 131ac50 6889->6890 6891 131ac1a closesocket 6889->6891 6890->6891 6892 131ac28 6891->6892 6812 54e056e 6813 54e05a6 ConvertStringSecurityDescriptorToSecurityDescriptorW 6812->6813 6815 54e05e7 6813->6815 6816 131a392 6818 131a3c7 RegQueryValueExW 6816->6818 6819 131a41b 6818->6819 6820 54e03ea 6821 54e043a GetComputerNameW 6820->6821 6822 54e0448 6821->6822 6823 54e29e2 6824 54e2a1a RegCreateKeyExW 6823->6824 6826 54e2a8c 6824->6826 6827 131a902 6829 131a93d SendMessageTimeoutA 6827->6829 6830 131a985 6829->6830 6831 54e1cfa 6832 54e1d35 LoadLibraryA 6831->6832 6834 54e1d72 6832->6834 6835 131a186 6836 131a1f3 6835->6836 6837 131a1bb send 6835->6837 6836->6837 6838 131a1c9 6837->6838 6839 131a486 6840 131a4bb RegSetValueExW 6839->6840 6842 131a507 6840->6842 6897 131a646 6900 131a67e CreateMutexW 6897->6900 6899 131a6c1 6900->6899 6843 54e19f6 6844 54e1a2b WSAConnect 6843->6844 6846 54e1a4a 6844->6846 6847 54e0d76 6848 54e0db1 getaddrinfo 6847->6848 6850 54e0e23 6848->6850 6901 54e16b6 6904 54e16eb GetProcessWorkingSetSize 6901->6904 6903 54e1717 6904->6903 6851 131b90a 6853 131b942 CreateFileW 6851->6853 6854 131b991 6853->6854 6905 54e2bb2 6907 54e2be7 ioctlsocket 6905->6907 6908 54e2c13 6907->6908 6909 54e0032 6912 54e006a WSASocketW 6909->6912 6911 54e00a6 6912->6911 6913 131a74e 6914 131a7b9 6913->6914 6915 131a77a FindCloseChangeNotification 6913->6915 6914->6915 6916 131a788 6915->6916

                                    Executed Functions

                                    Function 054E1427 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054E14A7
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: AdjustPrivilegesToken
                                    • String ID:
                                    • API String ID: 2874748243-0
                                    • Opcode ID: d0f68ed0551e773d77114f7177a63c1124ff711cfc5cf1f93abe300a21809dfd
                                    • Instruction ID: db7c28a81abaeb6cb73c0abf0bc18d2d75308eede78e431be9c0983d46d3aa76
                                    • Opcode Fuzzy Hash: d0f68ed0551e773d77114f7177a63c1124ff711cfc5cf1f93abe300a21809dfd
                                    • Instruction Fuzzy Hash: 8A2191755097809FDB228F25DC44BA2BFB4FF06210F0884DAE9858F663D275E918DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E145E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054E14A7
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: AdjustPrivilegesToken
                                    • String ID:
                                    • API String ID: 2874748243-0
                                    • Opcode ID: 46c65b390e692433c78b3cb417f9de46567da17a2bf920d2929b9d9b5b3aa587
                                    • Instruction ID: bf1e085116542a2b7725b4497da157f83a7f8296911458ae08baa9abd528b33e
                                    • Opcode Fuzzy Hash: 46c65b390e692433c78b3cb417f9de46567da17a2bf920d2929b9d9b5b3aa587
                                    • Instruction Fuzzy Hash: 801170765006009FEB20CF55D984BA6FBE9FF08221F08C4AAED868B752D335E418DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E063F Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 289 54e063f-54e0673 290 54e0675-54e067c 289->290 291 54e06e0-54e06f6 289->291 290->291
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 34c70f26e950d0e456a777d1e898d8cbaf44f476c35c6d826bb3f94063e377c3
                                    • Instruction ID: 1fe5abc3a8386c3834df1ab778b548a208e5af6e3000d90264284cb3668f3f2a
                                    • Opcode Fuzzy Hash: 34c70f26e950d0e456a777d1e898d8cbaf44f476c35c6d826bb3f94063e377c3
                                    • Instruction Fuzzy Hash: 6141E4725093C05FD7138B658C49B96BFB4EF07224F0985DBE5848B2A3D365A90DC772
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 052E0B68 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 294 52e0b68-52e0ba6 KiUserExceptionDispatcher 297 52e0ba9-52e0baf 294->297 298 52e0cad-52e0cca 297->298 299 52e0bb5-52e0bb8 297->299 300 52e0bba 299->300 332 52e0bbc call 14e0606 300->332 333 52e0bbc call 14e05e7 300->333 334 52e0bbc call 14e05e0 300->334 302 52e0bc1-52e0bee 307 52e0c35-52e0c38 302->307 308 52e0bf0-52e0bf2 302->308 307->298 310 52e0c3a-52e0c40 307->310 328 52e0bf4 call 14e0606 308->328 329 52e0bf4 call 14e05e7 308->329 330 52e0bf4 call 52e14f3 308->330 331 52e0bf4 call 14e05e0 308->331 310->300 311 52e0c46-52e0c4d 310->311 313 52e0c9e 311->313 314 52e0c4f-52e0c65 311->314 312 52e0bfa-52e0c01 315 52e0c32 312->315 316 52e0c03-52e0c2a 312->316 317 52e0ca8 313->317 314->298 320 52e0c67-52e0c6f 314->320 315->307 316->315 317->297 321 52e0c90-52e0c98 call 52e2210 320->321 322 52e0c71-52e0c7c 320->322 321->313 322->298 324 52e0c7e-52e0c88 322->324 324->321 328->312 329->312 330->312 331->312 332->302 333->302 334->302
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 052E0B8F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106017932.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_52e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 02aaffff4b28a419de235f3ed34fa443a3aea4985c9711b1f30d984ac8a0b539
                                    • Instruction ID: aeebfe168f567474a679f7075809c89b4ed27c2078633acae2841444988c38f8
                                    • Opcode Fuzzy Hash: 02aaffff4b28a419de235f3ed34fa443a3aea4985c9711b1f30d984ac8a0b539
                                    • Instruction Fuzzy Hash: 11419131A102058FCB04DF79C5885ADB7F2EF88318F5984A9D809EB35ADB75DD46CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 052E0B58 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 336 52e0b58-52e0b66 337 52e0b68-52e0b95 KiUserExceptionDispatcher 336->337 338 52e0b9c-52e0ba6 337->338 340 52e0ba9-52e0baf 338->340 341 52e0cad-52e0cca 340->341 342 52e0bb5-52e0bb8 340->342 343 52e0bba 342->343 375 52e0bbc call 14e0606 343->375 376 52e0bbc call 14e05e7 343->376 377 52e0bbc call 14e05e0 343->377 345 52e0bc1-52e0bee 350 52e0c35-52e0c38 345->350 351 52e0bf0-52e0bf2 345->351 350->341 353 52e0c3a-52e0c40 350->353 371 52e0bf4 call 14e0606 351->371 372 52e0bf4 call 14e05e7 351->372 373 52e0bf4 call 52e14f3 351->373 374 52e0bf4 call 14e05e0 351->374 353->343 354 52e0c46-52e0c4d 353->354 356 52e0c9e 354->356 357 52e0c4f-52e0c65 354->357 355 52e0bfa-52e0c01 358 52e0c32 355->358 359 52e0c03-52e0c2a 355->359 360 52e0ca8 356->360 357->341 363 52e0c67-52e0c6f 357->363 358->350 359->358 360->340 364 52e0c90-52e0c98 call 52e2210 363->364 365 52e0c71-52e0c7c 363->365 364->356 365->341 367 52e0c7e-52e0c88 365->367 367->364 371->355 372->355 373->355 374->355 375->345 376->345 377->345
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 052E0B8F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106017932.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_52e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 683f89a93f9ca317257364fd439fae7597f0a430fdd07e82830997e46d76af56
                                    • Instruction ID: 7b2a64548ebe4194af4cd447bf0b44183c03ccbd12bbcdc4c328946ffebac7b4
                                    • Opcode Fuzzy Hash: 683f89a93f9ca317257364fd439fae7597f0a430fdd07e82830997e46d76af56
                                    • Instruction Fuzzy Hash: 13417131A102058FCB04DF79C5886A9B7F2EF88304F5584A9D809EB359DB75DD46CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131B8CA Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 379 131b8ca-131b962 383 131b964 379->383 384 131b967-131b973 379->384 383->384 385 131b975 384->385 386 131b978-131b981 384->386 385->386 387 131b983-131b9a7 CreateFileW 386->387 388 131b9d2-131b9d7 386->388 391 131b9d9-131b9de 387->391 392 131b9a9-131b9cf 387->392 388->387 391->392
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0131B989
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: daa98cd1542193805aae3732f505126fb0dee77bf238f0146e8849fee22f220f
                                    • Instruction ID: 0d06f6ead679a47723452e3b0461f74e7e40653ac86e09028a8b617305450b4a
                                    • Opcode Fuzzy Hash: daa98cd1542193805aae3732f505126fb0dee77bf238f0146e8849fee22f220f
                                    • Instruction Fuzzy Hash: 5A31A071504380AFE712CF65CC40BA2BFF8EF06314F08889AE9858B653D265E809DB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E29C0 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 395 54e29c0-54e2a3a 399 54e2a3f-54e2a4b 395->399 400 54e2a3c 395->400 401 54e2a4d 399->401 402 54e2a50-54e2a59 399->402 400->399 401->402 403 54e2a5e-54e2a75 402->403 404 54e2a5b 402->404 406 54e2ab7-54e2abc 403->406 407 54e2a77-54e2a8a RegCreateKeyExW 403->407 404->403 406->407 408 54e2abe-54e2ac3 407->408 409 54e2a8c-54e2ab4 407->409 408->409
                                    APIs
                                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 054E2A7D
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: e1980e38d6596cc6f4ff6eebf421fc0d6767e45a78603f1472d7176225c06108
                                    • Instruction ID: b5acb2cf1f5b4a77e41cc458a40b1a784a88016e7c3528eb35bb6160450b3c52
                                    • Opcode Fuzzy Hash: e1980e38d6596cc6f4ff6eebf421fc0d6767e45a78603f1472d7176225c06108
                                    • Instruction Fuzzy Hash: A431CD76504344AFEB228B21CD40FB7BBECEF09210F08849AF985DB652D264E808CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131BE37 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 414 131be37-131be57 415 131be79-131beab 414->415 416 131be59-131be78 414->416 420 131beae-131bf06 RegQueryValueExW 415->420 416->415 422 131bf0c-131bf22 420->422
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0131BEFE
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 1a5a9831c360948c44eb58d283f5f213ee20eb707e81e26ee575585cfa24aa4d
                                    • Instruction ID: 070e0aa4fa38b4e93e6480f5a42d0b4c97dcbc026d7412886507711153f7515e
                                    • Opcode Fuzzy Hash: 1a5a9831c360948c44eb58d283f5f213ee20eb707e81e26ee575585cfa24aa4d
                                    • Instruction Fuzzy Hash: 9B31816510E7C0AFD3138B358C61A61BF74EF47614F0E85CBD8849B6A3D1296859C7B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A7C7 Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 423 131a7c7-131a855 427 131a857 423->427 428 131a85a-131a871 423->428 427->428 430 131a8b3-131a8b8 428->430 431 131a873-131a886 RegOpenKeyExW 428->431 430->431 432 131a888-131a8b0 431->432 433 131a8ba-131a8bf 431->433 433->432
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0131A879
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: 30408d7cf1b0202dfb1946a911e0a998b34ac0acd4e6189ef6d266a37ae1dbdb
                                    • Instruction ID: 8a7afa8b81231bb3c70f9e55910ee8de2fdcf7961b9f6a4842c8e1be8095c7e1
                                    • Opcode Fuzzy Hash: 30408d7cf1b0202dfb1946a911e0a998b34ac0acd4e6189ef6d266a37ae1dbdb
                                    • Instruction Fuzzy Hash: AC3195714093846FE7228B659C44FA7BFFCEF06214F08849AE9849B653D264A54DC771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0D54 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 438 54e0d54-54e0e13 444 54e0e65-54e0e6a 438->444 445 54e0e15-54e0e1d getaddrinfo 438->445 444->445 446 54e0e23-54e0e35 445->446 448 54e0e6c-54e0e71 446->448 449 54e0e37-54e0e62 446->449 448->449
                                    APIs
                                    • getaddrinfo.WS2_32(?,00000E24), ref: 054E0E1B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: getaddrinfo
                                    • String ID:
                                    • API String ID: 300660673-0
                                    • Opcode ID: 8c5ab3bd3847b6c03a6aa96247b0a1bed6916880cec168b9ab9883af0ca59d10
                                    • Instruction ID: 860a7d19e5d5df39089ea43a6d35802dfde946e40c49149b24d1960c2206ff75
                                    • Opcode Fuzzy Hash: 8c5ab3bd3847b6c03a6aa96247b0a1bed6916880cec168b9ab9883af0ca59d10
                                    • Instruction Fuzzy Hash: 043191B1504344AFEB21CB61DD44FA7FBACEB44714F04889AFA489B692D374A94CCB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0C4C Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 453 54e0c4c-54e0c57 454 54e0c59-54e0cc2 453->454 455 54e0cc4-54e0cc6 453->455 454->455 457 54e0cc8-54e0cdd 455->457 458 54e0ce0-54e0ce1 455->458 457->458 460 54e0d2e-54e0d33 458->460 461 54e0ce3-54e0ceb GetProcessTimes 458->461 460->461 465 54e0cf1-54e0d03 461->465 466 54e0d35-54e0d3a 465->466 467 54e0d05-54e0d2b 465->467 466->467
                                    APIs
                                    • GetProcessTimes.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E0CE9
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ProcessTimes
                                    • String ID:
                                    • API String ID: 1995159646-0
                                    • Opcode ID: d8ffe9e979e9511c76491ac095fb90ffe423138892d670e897b2c42a7a711d2f
                                    • Instruction ID: dcbebfe3bbb78a53cf90ddf785df5f93b94e9524bd306a0221bfc38358ae2252
                                    • Opcode Fuzzy Hash: d8ffe9e979e9511c76491ac095fb90ffe423138892d670e897b2c42a7a711d2f
                                    • Instruction Fuzzy Hash: FC31E8755097805FE7228F21DC44FA6BFB8EF46324F0884DBE8859F192D264A549C771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 470 131a612-131a695 474 131a697 470->474 475 131a69a-131a6a3 470->475 474->475 476 131a6a5 475->476 477 131a6a8-131a6b1 475->477 476->477 478 131a6b3-131a6d7 CreateMutexW 477->478 479 131a702-131a707 477->479 482 131a709-131a70e 478->482 483 131a6d9-131a6ff 478->483 479->478 482->483
                                    APIs
                                    • CreateMutexW.KERNELBASE(?,?), ref: 0131A6B9
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: e20318339d5ffa5acc93e997c4a57636de040949d7868fdf65176b6c60722a12
                                    • Instruction ID: 58e131a94f51e92d5a0e84b75b48d51d6b1588b1a1f8d31d53c8fa24507b7a8c
                                    • Opcode Fuzzy Hash: e20318339d5ffa5acc93e997c4a57636de040949d7868fdf65176b6c60722a12
                                    • Instruction Fuzzy Hash: E131B1B15093806FE712CB65CD85B96BFF8EF06214F08889AE984CB293D374E909C761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0548 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 486 54e0548-54e05c9 490 54e05ce-54e05d7 486->490 491 54e05cb 486->491 492 54e062f-54e0634 490->492 493 54e05d9-54e05e1 ConvertStringSecurityDescriptorToSecurityDescriptorW 490->493 491->490 492->493 495 54e05e7-54e05f9 493->495 496 54e05fb-54e062c 495->496 497 54e0636-54e063b 495->497 497->496
                                    APIs
                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 054E05DF
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: DescriptorSecurity$ConvertString
                                    • String ID:
                                    • API String ID: 3907675253-0
                                    • Opcode ID: 95bae3800bf04bc416092223824f13efac25d7fceb84dba07b5c2e45bf3ba399
                                    • Instruction ID: 8c670ada5856296858a114bab3d66c65d89fbd740994ad18ae1577cc9cf4a783
                                    • Opcode Fuzzy Hash: 95bae3800bf04bc416092223824f13efac25d7fceb84dba07b5c2e45bf3ba399
                                    • Instruction Fuzzy Hash: 7231BF71504384AFE721CF25DC45FA7BBE8EF46210F0884AAF944DB652D364E948CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A8C1 Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 501 131a8c1-131a975 505 131a977-131a97f SendMessageTimeoutA 501->505 506 131a9b9-131a9be 501->506 508 131a985-131a997 505->508 506->505 509 131a9c0-131a9c5 508->509 510 131a999-131a9b6 508->510 509->510
                                    APIs
                                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 0131A97D
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: MessageSendTimeout
                                    • String ID:
                                    • API String ID: 1599653421-0
                                    • Opcode ID: 7800c8f83b987c2da4b4f5167cbf428eb8e384df8726c2424c31a38e486b2ffe
                                    • Instruction ID: baad25060bf4447248256df697cccb1572a801e06af385c4e0d0c37d8e5a1501
                                    • Opcode Fuzzy Hash: 7800c8f83b987c2da4b4f5167cbf428eb8e384df8726c2424c31a38e486b2ffe
                                    • Instruction Fuzzy Hash: 7B31F671005780AFEB228F60CC44FA2FFB8EF46314F08849AE9848B593D274A44CCB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E29E2 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 054E2A7D
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 4625cd178efa0b97bfd4702b1c47c941e4a8d1272e0bf77eb73edcf15543854a
                                    • Instruction ID: 50566484437eaa1732be13d2d98e4448233529a7f03bd3b1b250fe39337f0507
                                    • Opcode Fuzzy Hash: 4625cd178efa0b97bfd4702b1c47c941e4a8d1272e0bf77eb73edcf15543854a
                                    • Instruction Fuzzy Hash: B0219A76504604AFEB31CF25CD45FA7BBECEF08224F08845AE946DB652E364E448CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131A40C
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: b507eca650e475ade3bb039cd82fe1d63e5ba1dbcb09e327b5adf6740418cad7
                                    • Instruction ID: b43555a9882eb49cf3f35ced4f588f3e0badb3dc4897e89af687d24b2408f3a8
                                    • Opcode Fuzzy Hash: b507eca650e475ade3bb039cd82fe1d63e5ba1dbcb09e327b5adf6740418cad7
                                    • Instruction Fuzzy Hash: 6D316F75505780AFE722CF15CC84FA2BFF8EF06614F08849AE9459B292D364E949CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0D76 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    • getaddrinfo.WS2_32(?,00000E24), ref: 054E0E1B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: getaddrinfo
                                    • String ID:
                                    • API String ID: 300660673-0
                                    • Opcode ID: 058bf27582cfa81832923af7d2294203c2f157f476d5101ac9418fc0faed6af9
                                    • Instruction ID: 582719c0d624bd8b8361690aaae343e77c1f58b7077ab2f44d8bdd8a777983f4
                                    • Opcode Fuzzy Hash: 058bf27582cfa81832923af7d2294203c2f157f476d5101ac9418fc0faed6af9
                                    • Instruction Fuzzy Hash: 10219F72500204AEEB20DB65DD85FF6F7ACEB04714F0488AAFA489A681D7B4E54D8B71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0006 Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 054E009E
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: Socket
                                    • String ID:
                                    • API String ID: 38366605-0
                                    • Opcode ID: 6adbc59aaf73689db48f5193eb9031d400b43d9a80cba7087d2c3eca45fdfac7
                                    • Instruction ID: 8c8eadb34d9c211d519d458b1f96f1b30789fe5ea66506de4dc34289145da94b
                                    • Opcode Fuzzy Hash: 6adbc59aaf73689db48f5193eb9031d400b43d9a80cba7087d2c3eca45fdfac7
                                    • Instruction Fuzzy Hash: 3331B171409780AFE722CF51DD44F96FFF4EF06224F08849AE9859B692D375A848CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131B9E0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131BA75
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 509163fd561dfef690c6163974343b6215c344e7a3f97507bf30cc3f4957fe0b
                                    • Instruction ID: ae34f6584e4f0d4db4b4a36d9cb1031c83569d1f610a4c20f2f6c8937e473f5d
                                    • Opcode Fuzzy Hash: 509163fd561dfef690c6163974343b6215c344e7a3f97507bf30cc3f4957fe0b
                                    • Instruction Fuzzy Hash: 3121F875409780AFE7138B25DC41BA2BFBCEF47724F09C0D6E9808B293D264A949C771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E2C55 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: select
                                    • String ID:
                                    • API String ID: 1274211008-0
                                    • Opcode ID: 08b843194844db5657e8542a8aac3364f3908696037dcce10df39e7a3256e731
                                    • Instruction ID: ee5ca38a3a7346c2fefc27232d93f066dfec34b6adfbff75fedb2caad1a7a0f4
                                    • Opcode Fuzzy Hash: 08b843194844db5657e8542a8aac3364f3908696037dcce10df39e7a3256e731
                                    • Instruction Fuzzy Hash: CF216F755083849FD712CF25DC44BA2BFF8FF06210F0884DAE985DB263D265E948DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E11E4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 054E1286
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: InformationVolume
                                    • String ID:
                                    • API String ID: 2039140958-0
                                    • Opcode ID: 2f409d1bdde27a87c2bde65da0d385635f84236d8736b32c4b1e0d01df53fc81
                                    • Instruction ID: 2f639b7d053941358a5812f2f01e297c21d59fb344a9a6491371e546975a7f80
                                    • Opcode Fuzzy Hash: 2f409d1bdde27a87c2bde65da0d385635f84236d8736b32c4b1e0d01df53fc81
                                    • Instruction Fuzzy Hash: ED21BF7150D3C06FD3028B258C51B66BFB4EF8B610F0984CBD8849F6A3D624A919C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E15A9 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetExitCodeProcess.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E1630
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: CodeExitProcess
                                    • String ID:
                                    • API String ID: 3861947596-0
                                    • Opcode ID: 731d04fd7aac64c76c4479f4be7355a7a3a8ca7aad60781df351ba9afc440ec7
                                    • Instruction ID: 440a23b0c7ea30f68d57cd9e5fd53b389a04c8b0f5dc6091baffff00dcaa4dd6
                                    • Opcode Fuzzy Hash: 731d04fd7aac64c76c4479f4be7355a7a3a8ca7aad60781df351ba9afc440ec7
                                    • Instruction Fuzzy Hash: A421A1715093806FE712CB25DC45FA6BFB8EF46224F0884DBE944DF292D268A948C771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegSetValueExW.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131A4F8
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Value
                                    • String ID:
                                    • API String ID: 3702945584-0
                                    • Opcode ID: 7a95e68e6a6ac145c549cbb4beb22ba2c1bc19cfb68e9a5790a0f221286c72b6
                                    • Instruction ID: d61e6112091000e62aa71e310c9dd2e24764f053e7d44afc2fe9873e8162dca4
                                    • Opcode Fuzzy Hash: 7a95e68e6a6ac145c549cbb4beb22ba2c1bc19cfb68e9a5790a0f221286c72b6
                                    • Instruction Fuzzy Hash: F021B276505380AFE7228F15CC44FA7BFB8EF46224F08849AE985DB692D364E848C771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131B90A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0131B989
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 94e6ef87641d03b2bb9b3dbebde0646df112835c61af72673d28c1bcb36c72b7
                                    • Instruction ID: 31dd26bdf9f6b7b6fd65ae99389104ce6caf2ec10f3c452ce9e16273d6c5e22c
                                    • Opcode Fuzzy Hash: 94e6ef87641d03b2bb9b3dbebde0646df112835c61af72673d28c1bcb36c72b7
                                    • Instruction Fuzzy Hash: 9321B071500204AFEB21CF66CD84F66FBE9EF08224F04886AE9459B756D375E409CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E056E Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                    Download Yara Rule
                                    APIs
                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 054E05DF
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: DescriptorSecurity$ConvertString
                                    • String ID:
                                    • API String ID: 3907675253-0
                                    • Opcode ID: 0a9a41a0b54ddb85b4503f7be3581fd1066b4ad52231a7234f2a513c04fe345e
                                    • Instruction ID: 9cbe56a6d0e369b62a24c8d804cebe5bc572886c099f9cf7f45d0a695b72d39f
                                    • Opcode Fuzzy Hash: 0a9a41a0b54ddb85b4503f7be3581fd1066b4ad52231a7234f2a513c04fe345e
                                    • Instruction Fuzzy Hash: 1B21C272600204AFEB20DF25DD45FABBBECEF44224F04846AF949EB641D774E5498B71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0462 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E04F4
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 41f62746acf3fe47cb3f8c00aeef0510b66e5e9f49fc7754bb278ea79ba9309f
                                    • Instruction ID: 354c444fef226d68a515b47458845eb79f343b9148c1bb1862d81504de6e5c21
                                    • Opcode Fuzzy Hash: 41f62746acf3fe47cb3f8c00aeef0510b66e5e9f49fc7754bb278ea79ba9309f
                                    • Instruction Fuzzy Hash: 5321AF72504740AFE722CF11CC44FA7FBF8EF45220F08849AE9499B292D364E948CB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0131A879
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: ab633120e535b09c7fd91560c9273badf3a43a923c741ee3d8a06c48c02a7419
                                    • Instruction ID: 164d6f8873bca90fdcbea7de940fc2b40b57ef616a03307a657d087244f88549
                                    • Opcode Fuzzy Hash: ab633120e535b09c7fd91560c9273badf3a43a923c741ee3d8a06c48c02a7419
                                    • Instruction Fuzzy Hash: 7121DE72500204AEE7218F55DD44FABFBECEF08328F04845AFE459BA42D734E44D8AB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E1777 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E17F3
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: b18753558d8bebae9f8be73be620fe9495b9ee58f6c5b47d65827b9d5c5023fb
                                    • Instruction ID: 0bd83566ac10bb7664a3cf6d6357b15e8d582047cbc169b048d0b60309623feb
                                    • Opcode Fuzzy Hash: b18753558d8bebae9f8be73be620fe9495b9ee58f6c5b47d65827b9d5c5023fb
                                    • Instruction Fuzzy Hash: 1D2195715053806FE711CF11DC44FA7BFA8EF46214F08C49BE945DB292D274A948CB75
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E1693 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E170F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: b18753558d8bebae9f8be73be620fe9495b9ee58f6c5b47d65827b9d5c5023fb
                                    • Instruction ID: 95b5c302aecc77297a34c92564b9dc0c8ba7030fa4b191632c4d8ef55254034f
                                    • Opcode Fuzzy Hash: b18753558d8bebae9f8be73be620fe9495b9ee58f6c5b47d65827b9d5c5023fb
                                    • Instruction Fuzzy Hash: 74218371505380AFE711CB15DC44FA6BFA8EF45214F08C49AE9459B292D274A548CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexW.KERNELBASE(?,?), ref: 0131A6B9
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 13430c6a9aef9c2759fab25e291f9d665a44e62aa44b53416da5f7c209d02d9f
                                    • Instruction ID: dddca09a2478cb91794ee602ef0f69759c9a1e4f493008b84df19fe62b30ffc6
                                    • Opcode Fuzzy Hash: 13430c6a9aef9c2759fab25e291f9d665a44e62aa44b53416da5f7c209d02d9f
                                    • Instruction Fuzzy Hash: 6021C2716012409FEB10CF65CD45BA6FBE8EF05224F04C869E945DB746D374E909CA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A140 Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: 5a2b2890cef4cfec773c45fd9250ad26ee4e6d4638427a0a3a624dded6ec5559
                                    • Instruction ID: 38615bbb0f9789c83ed9cfd03103af95a8e43712b69ebf665882857f50c0a482
                                    • Opcode Fuzzy Hash: 5a2b2890cef4cfec773c45fd9250ad26ee4e6d4638427a0a3a624dded6ec5559
                                    • Instruction Fuzzy Hash: 7421AC7140D7C09FD7238B619C54A52BFB4EF47220F0A84EBD9858F5A3D229A819CB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131BCC2 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131BD41
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 048f04739cc45d803b726719febb6b8b8ae0413abf499648536c28d7b333eb55
                                    • Instruction ID: 6f7066744adb36ebb4b6d0605caaad52480a237da9af2e2273a6650c099f15b7
                                    • Opcode Fuzzy Hash: 048f04739cc45d803b726719febb6b8b8ae0413abf499648536c28d7b333eb55
                                    • Instruction Fuzzy Hash: 9421A172405780AFEB22CF51DC44FA7FFB8EF45224F08C49AE9459B556D234A548CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131A40C
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 98884e148439a40fa7fda816f6fbfa105c7501f0266b8b6153f466ca83935d12
                                    • Instruction ID: cec0082a06d945a22f291403eb5d22d9b59c10369a7109934de88b5704980bb6
                                    • Opcode Fuzzy Hash: 98884e148439a40fa7fda816f6fbfa105c7501f0266b8b6153f466ca83935d12
                                    • Instruction Fuzzy Hash: 2B21C0766006449FE721CF15CC84FA6F7ECEF04624F08C45AE9459B792D774E848CA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E2B8F Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E2C0B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ioctlsocket
                                    • String ID:
                                    • API String ID: 3577187118-0
                                    • Opcode ID: 9a520d94908c6ce68868b9f423b8ba078f788fa1af21786bac4d20c5e8b131ae
                                    • Instruction ID: d8c15583b9f7e4ecd2abcec07b6e2d9e4800f74ea25d24d8faaf5435c689f07c
                                    • Opcode Fuzzy Hash: 9a520d94908c6ce68868b9f423b8ba078f788fa1af21786bac4d20c5e8b131ae
                                    • Instruction Fuzzy Hash: BB219F71409784AFE722CF11CC44FA7BFB8EF46214F08849AE9449B692D264A548C761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E14F4 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 054E1560
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: 29b7d040c8074847c844580999cb71b3287710bb7fddfd6fd2df5b4d58fdfb6e
                                    • Instruction ID: 42ce2e571fbd310a3ee718dd45316419757de1be0b1fad3402a574baf698b227
                                    • Opcode Fuzzy Hash: 29b7d040c8074847c844580999cb71b3287710bb7fddfd6fd2df5b4d58fdfb6e
                                    • Instruction Fuzzy Hash: 9E21A1715097C05FEB128B25DC54A92BFB4AF47224F0984DBE8858F663D274A908CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E071E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileView
                                    • String ID:
                                    • API String ID: 3314676101-0
                                    • Opcode ID: 154344299e4109bd8512cfeec783de53e24b8860ec7b3b8cdd5dee18dda93485
                                    • Instruction ID: 30f97218929725ccaac85bb682cb22a5fbab964ed9b9a6e15de51ecc56914d05
                                    • Opcode Fuzzy Hash: 154344299e4109bd8512cfeec783de53e24b8860ec7b3b8cdd5dee18dda93485
                                    • Instruction Fuzzy Hash: E621DE72500200AFE721CF55CD89FA6FBE8EF09224F04849AE9498B641D3B5F448CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0032 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 054E009E
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: Socket
                                    • String ID:
                                    • API String ID: 38366605-0
                                    • Opcode ID: a0844f41a739a6bc183ab013f2c68ba7a52e985472893c684c8f4456da22ee5f
                                    • Instruction ID: 210e0cf6533aa5c71bcad9d057927518517039d17f3504af2f6ecad3696aed1e
                                    • Opcode Fuzzy Hash: a0844f41a739a6bc183ab013f2c68ba7a52e985472893c684c8f4456da22ee5f
                                    • Instruction Fuzzy Hash: 5321F271500240AFEB21CF55DD44FA6FBE4EF08324F04885AE9499A641D3B5E449CB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0131A780
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: 01d866e61a369687d90f36460ac311744667114026541db0c9bbe545a155ce4c
                                    • Instruction ID: 30fd2282a02f8da9653968c5a771c97150cad24bd7728dd30170d33cf7644130
                                    • Opcode Fuzzy Hash: 01d866e61a369687d90f36460ac311744667114026541db0c9bbe545a155ce4c
                                    • Instruction Fuzzy Hash: BF2102B19043809FDB12CF25DC85B52BFB4EF02224F0884AAEC858B293D235A905DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 0131A97D
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: MessageSendTimeout
                                    • String ID:
                                    • API String ID: 1599653421-0
                                    • Opcode ID: 53fc388710e208bd1e9ddef2443c6591abaf680cd29d0a49b96bfe18872ed312
                                    • Instruction ID: c72cf30b209556b4a87c583b8a8d9e4b51ee42da4a4845ee9dec66f7ca703afe
                                    • Opcode Fuzzy Hash: 53fc388710e208bd1e9ddef2443c6591abaf680cd29d0a49b96bfe18872ed312
                                    • Instruction Fuzzy Hash: 1C212172500604AFEB218F51DC40FA6FBA8EF08324F04885AFE859BA95D375F448CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E1CDA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 054E1D63
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: f89edad5a6c0d9cffd9a65185e1f3cc8db2846c2782d5d10ec9a57004f074016
                                    • Instruction ID: 9c2fe261fb8432eefa4498ed4e111d0d42a8efe70833babdf2f4e95baf2edac1
                                    • Opcode Fuzzy Hash: f89edad5a6c0d9cffd9a65185e1f3cc8db2846c2782d5d10ec9a57004f074016
                                    • Instruction Fuzzy Hash: 9311B471504740AFE721CB11DD85FA6FFB8EF45720F18849AF9449B292D2B4B948CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegSetValueExW.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131A4F8
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Value
                                    • String ID:
                                    • API String ID: 3702945584-0
                                    • Opcode ID: 7bede708f60f7072a33051bd54f5b7a63bad64d1cd38ff616e8b6b67863278c7
                                    • Instruction ID: 228a795e8ab58377c44fe3285230703beb2417c5ab44c59b4c322ab20fd9089b
                                    • Opcode Fuzzy Hash: 7bede708f60f7072a33051bd54f5b7a63bad64d1cd38ff616e8b6b67863278c7
                                    • Instruction Fuzzy Hash: 8111E176500640AFEB218F05CC44FA6FBECEF04224F08C45AED459B782D770E448CA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0482 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E04F4
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 8341cac8a01a88b484988af78fe74a416ba756356f3d22acc26644d733a1bb9f
                                    • Instruction ID: 4c3089ffa22bf2d4a70a7b3a32470c9cd90f1bb124c19d273b5e18017ea02e8a
                                    • Opcode Fuzzy Hash: 8341cac8a01a88b484988af78fe74a416ba756356f3d22acc26644d733a1bb9f
                                    • Instruction Fuzzy Hash: 7E119D72500600AFEB21CF15DD44FA7F7E8EF04725F08C49AE9499A691D3A4E549CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E0C8A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessTimes.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E0CE9
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ProcessTimes
                                    • String ID:
                                    • API String ID: 1995159646-0
                                    • Opcode ID: 8a13879592dd5ae787db36cc5d77219512d475d59fa11182256c73a9955e1d67
                                    • Instruction ID: 10be03055766f8a3bbb14d2c52dcfd8055db24d37a26030864923fdb4c8882cc
                                    • Opcode Fuzzy Hash: 8a13879592dd5ae787db36cc5d77219512d475d59fa11182256c73a9955e1d67
                                    • Instruction Fuzzy Hash: 5211BE76500600AFEB21CF51DC44FAAFBA8EF04224F08C4AAE9499A655D274E449CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E12BC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 054E1326
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: d5afd2c3c4b2c711c3f5f5cf34206c3e4a4cbc9b9859f8ab81de6169d807e496
                                    • Instruction ID: a49f8b24a44d3722c790520438e683ea657ae4e0046f4f52fc0a91e46b893ef8
                                    • Opcode Fuzzy Hash: d5afd2c3c4b2c711c3f5f5cf34206c3e4a4cbc9b9859f8ab81de6169d807e496
                                    • Instruction Fuzzy Hash: BF1160716043809FE761CF25DC85BA7BFE8EF46211F0884AAED45DB652D234E844CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E179A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E17F3
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: a7df03ea89e27a541b9a030ecfc3582a5b8dff3e3a2189d8576bc0ac76fe6af1
                                    • Instruction ID: 419474d80f0d06ef68154887162c50a209d9fcb2480dcac354b34c732a26189d
                                    • Opcode Fuzzy Hash: a7df03ea89e27a541b9a030ecfc3582a5b8dff3e3a2189d8576bc0ac76fe6af1
                                    • Instruction Fuzzy Hash: 3211BF72500200AFEB21CF55DC84FEAF7E8EF45224F18C4AAE9059B681D674E948CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E03BE Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 054E043A
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ComputerName
                                    • String ID:
                                    • API String ID: 3545744682-0
                                    • Opcode ID: ca1f5997c24306a4c4e267a904229dd6a41616a54688e6d09162b936325feee1
                                    • Instruction ID: 1c17ac1062ee7a8a69c0334681729f08e92b7d8cf33f009bb537d372da29a9a7
                                    • Opcode Fuzzy Hash: ca1f5997c24306a4c4e267a904229dd6a41616a54688e6d09162b936325feee1
                                    • Instruction Fuzzy Hash: 0A11C471905340AFD3118B16CC41F76BFB8EFC6620F09819AEC449B682D625B959CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E16B6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E170F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: a7df03ea89e27a541b9a030ecfc3582a5b8dff3e3a2189d8576bc0ac76fe6af1
                                    • Instruction ID: a5fc19183cda43d8d8ccba5de8b1a3692e82438400807c3f41fcc1ddb729a295
                                    • Opcode Fuzzy Hash: a7df03ea89e27a541b9a030ecfc3582a5b8dff3e3a2189d8576bc0ac76fe6af1
                                    • Instruction Fuzzy Hash: 7E11C4725002009FEB11CF55DC44FE6FBACEF45624F08C4AAE905DB641D374E548CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131AF93 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0131AFFE
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 7d5f6ebec991d2cc30561e58d46c9a207a9324a94c3ac6e34a714fcbae87d91e
                                    • Instruction ID: e5049a977f0d4e2d5bd2c300ff8f9b2c417f8ae9c329d583f9d95df88e25e0d2
                                    • Opcode Fuzzy Hash: 7d5f6ebec991d2cc30561e58d46c9a207a9324a94c3ac6e34a714fcbae87d91e
                                    • Instruction Fuzzy Hash: C911AF71409780AFDB228F54DC44B62FFF4EF4A220F08889AED858B563D235A418DB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E15DA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetExitCodeProcess.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E1630
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: CodeExitProcess
                                    • String ID:
                                    • API String ID: 3861947596-0
                                    • Opcode ID: 6b9f9ae5e653f573df084bad0aa67390af41a75cdd940f27f35a9dcd9f4bba86
                                    • Instruction ID: 7704bfd8f6079db1c0ee91002944e4ea7402c2ecc1a519007754e9d279677122
                                    • Opcode Fuzzy Hash: 6b9f9ae5e653f573df084bad0aa67390af41a75cdd940f27f35a9dcd9f4bba86
                                    • Instruction Fuzzy Hash: C411E371500200AFEB10CF25DC44FEAF798EF45224F08C4AAED05DB791D274E548CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131BCE2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131BD41
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 11bd01319559a9e4d70df15cb23a63230e4cff5acd862ea6c0f88f0039092e2b
                                    • Instruction ID: 822bcc0f0b761b04df26c760f5064f4f8ae754538d0243ff1d3a9675e8a5de9c
                                    • Opcode Fuzzy Hash: 11bd01319559a9e4d70df15cb23a63230e4cff5acd862ea6c0f88f0039092e2b
                                    • Instruction Fuzzy Hash: A511EF72500600AFEB21CF51DC40FA6FBA8EF04328F08C85AE9459B656C334A448CBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E19D4 Relevance: 1.6, APIs: 1, Instructions: 60networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 054E1A42
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: Connect
                                    • String ID:
                                    • API String ID: 3144859779-0
                                    • Opcode ID: ec0e8f33ade4f7522d64c992b11b7d673a8fac3e1ec02c904959270e286264bd
                                    • Instruction ID: 969d515fe79bdb9269175c7a3e31854ced88b03c4e265cba79f4b849a281eb97
                                    • Opcode Fuzzy Hash: ec0e8f33ade4f7522d64c992b11b7d673a8fac3e1ec02c904959270e286264bd
                                    • Instruction Fuzzy Hash: 1B2190715047809FDB21CF61DC44EA2FFF4FF49210F08889AE9858B662D375E558CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E2BB2 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 054E2C0B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ioctlsocket
                                    • String ID:
                                    • API String ID: 3577187118-0
                                    • Opcode ID: 338b26e94484a35182b630112dbee366c0250702f2da9bc5f7042d05853150f7
                                    • Instruction ID: 3ec5a609659f009749983631cad06751e3993e440bfaae8795b850fd8dfb116e
                                    • Opcode Fuzzy Hash: 338b26e94484a35182b630112dbee366c0250702f2da9bc5f7042d05853150f7
                                    • Instruction Fuzzy Hash: B311E076504600AFEB21CF11DD84FA6FBACEF44324F08C4AAE905AB641D374A548CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131ABC1 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID:
                                    • API String ID: 2781271927-0
                                    • Opcode ID: 3f3a09508fa68c8fd74d6141a272bc1921037e33d7aa60eac575e3f19aed1ddd
                                    • Instruction ID: 6842e718ef2ec60353e3b0a47976159078c601d099a089e8b29082fcd3f78e23
                                    • Opcode Fuzzy Hash: 3f3a09508fa68c8fd74d6141a272bc1921037e33d7aa60eac575e3f19aed1ddd
                                    • Instruction Fuzzy Hash: 431182715093C09FDB128F25DC44B52BFB4EF47224F0884DAED848F153D275A558DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 0131A330
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: a9f5ffb12888190c5c10c1cfb22bbfd8a92061b566cd14d18abbbe005f9d1d91
                                    • Instruction ID: fc677687b346ed29e2fc414f75a822941b37210ba97b3d6feb28b160c5eda90b
                                    • Opcode Fuzzy Hash: a9f5ffb12888190c5c10c1cfb22bbfd8a92061b566cd14d18abbbe005f9d1d91
                                    • Instruction Fuzzy Hash: C311B27140A3C0AFDB138B25DC44B62BFB4DF47224F0884CBED848B163C265A818D772
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E1CFA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 054E1D63
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 0ac57a548d0ed71a16a1835dfd451d791f67e383f1358ccfbb9489831f829eaa
                                    • Instruction ID: 7038c2fb42eb955ef621a8bf199f35b66dc09589f0d86e594fb9394dc95a50ea
                                    • Opcode Fuzzy Hash: 0ac57a548d0ed71a16a1835dfd451d791f67e383f1358ccfbb9489831f829eaa
                                    • Instruction Fuzzy Hash: D511E171540A00AEEB20CB15DD81FF6FBA8DF05724F14C49AFD045A781D2B8F948CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E2C8E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: select
                                    • String ID:
                                    • API String ID: 1274211008-0
                                    • Opcode ID: 76643feac276024459cde502dd5bb12686007267eaffd80f67ee17e09387f0af
                                    • Instruction ID: 57628149aeb609f5bcaeab28b0336e3038c93eddb1c88fe70d6eb4bbd1252950
                                    • Opcode Fuzzy Hash: 76643feac276024459cde502dd5bb12686007267eaffd80f67ee17e09387f0af
                                    • Instruction Fuzzy Hash: FF115E756042049FDB20CF15D884FA6F7E8EF04211F0884AADD49DB652D375E444CA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E12DE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                    Download Yara Rule
                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 054E1326
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: b886ed5cb7bd5614b0fbdb014c6d6ba68b43eab8b2150d811be77bb37b0cdff5
                                    • Instruction ID: 9bd96da0f2b40807bf89b394bfa791b4bc91fbc86145b20c7eb7c756c3fa91a9
                                    • Opcode Fuzzy Hash: b886ed5cb7bd5614b0fbdb014c6d6ba68b43eab8b2150d811be77bb37b0cdff5
                                    • Instruction Fuzzy Hash: 3F11A572A002008FEB50CF15D844BA6FBD8FF15721F08C4AAEC45DBB42D234E804CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131BA22 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNELBASE(?,00000E24,8D04846A,00000000,00000000,00000000,00000000), ref: 0131BA75
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 6e6dfb31eb334bfd6029f59232bf70d339669704017d83c43b192bdc7a6fafbc
                                    • Instruction ID: 6c83d82e9b59abb392746de44d9b02f55256f79c10fa38c547176ee18f36feea
                                    • Opcode Fuzzy Hash: 6e6dfb31eb334bfd6029f59232bf70d339669704017d83c43b192bdc7a6fafbc
                                    • Instruction Fuzzy Hash: 57010476500204AEF710CB15DC44BA6F7ACDF45229F08C096ED049B685D274E4488AB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E19F6 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 054E1A42
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: Connect
                                    • String ID:
                                    • API String ID: 3144859779-0
                                    • Opcode ID: 122f546fa9eb79dc39a65612ba88e3b3d49bea8ea8f1c3671c648ac3961c1e86
                                    • Instruction ID: edb8dd513c38bb7965a96ebb52dfc3f0a563a2706a35a6bc3e8edf0af1480171
                                    • Opcode Fuzzy Hash: 122f546fa9eb79dc39a65612ba88e3b3d49bea8ea8f1c3671c648ac3961c1e86
                                    • Instruction Fuzzy Hash: BD11AC365007009FEB20CF51D845BA6FBE5FF08221F08C8AAED868B662D335E518CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E1236 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 054E1286
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: InformationVolume
                                    • String ID:
                                    • API String ID: 2039140958-0
                                    • Opcode ID: 7e26f84e4f51c02858948ddfa797119e946e77345861a8a6f8c5a59fcff14037
                                    • Instruction ID: bf5be031d9412447dfc6d09f25f43d5c319d94bf48d1b67bef023a73b0d18f6c
                                    • Opcode Fuzzy Hash: 7e26f84e4f51c02858948ddfa797119e946e77345861a8a6f8c5a59fcff14037
                                    • Instruction Fuzzy Hash: 3301B171A00200AFD310DF16CD45B76FBE8EB88A20F14852AEC089BB41D735F955CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131AFBA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0131AFFE
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: c4ad9999ccbd1179144a36b188d9772b06efae516ef1334a826f006aa02b5d77
                                    • Instruction ID: fa117648f534f39b1ba9b179b76ab8a268d6eca03a36b2b8fdbeb41924cf1512
                                    • Opcode Fuzzy Hash: c4ad9999ccbd1179144a36b188d9772b06efae516ef1334a826f006aa02b5d77
                                    • Instruction Fuzzy Hash: 18018B324006409FDB218F55D844B62FBE4EF48224F08C89AED494AA6AD336E058DB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131BEAE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0131BEFE
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: a10bf88214f7e3e6374f41572126795d0fe9cc007df9e0c07ab1811bebe85805
                                    • Instruction ID: 255827b108bfca3a345d8466e26b4400eae6c36628b5a1ee397d3ce84b3aad5d
                                    • Opcode Fuzzy Hash: a10bf88214f7e3e6374f41572126795d0fe9cc007df9e0c07ab1811bebe85805
                                    • Instruction Fuzzy Hash: 5B01A271500600ABD210DF1ACD46B66FBE8FB88A20F14C11AEC089BB81D771F965CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0131A780
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: f849953c2cfb62426ebc03466519e834ffeba80a4eeb0b8b6d88bf81fec4fcfe
                                    • Instruction ID: 145a864e3dc2f50067134c512a73659fc3ea4048eb1cd11181edc275dc253cd6
                                    • Opcode Fuzzy Hash: f849953c2cfb62426ebc03466519e834ffeba80a4eeb0b8b6d88bf81fec4fcfe
                                    • Instruction Fuzzy Hash: 9A01D4755012408FEB10CF55D884765FBE4DF05235F08C4ABDC469B746D278E504CAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E152E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 054E1560
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: 964e54a857028e13da992c2f003ef5297d82724818d0c2fe967cdddcce8b3bba
                                    • Instruction ID: 3d6a005756dd58cd31780fdea83a18489f07c1099fe4936cfde99e23d40e8a9c
                                    • Opcode Fuzzy Hash: 964e54a857028e13da992c2f003ef5297d82724818d0c2fe967cdddcce8b3bba
                                    • Instruction Fuzzy Hash: 3D01D4759006008FEB50CF15D885BA6FBE4EF55221F08C4ABEC4A9B742D274E408CF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054E03EA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 054E043A
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106305063.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_54e0000_chargeable.jbxd
                                    Similarity
                                    • API ID: ComputerName
                                    • String ID:
                                    • API String ID: 3545744682-0
                                    • Opcode ID: 63f3a2f0b029f9b31ce7ee1cba3d9b029972e0325d8dad1efa3fdac3c29123ff
                                    • Instruction ID: db747e73fc8462d9e4d5b0dbe58746d75a312da2f73cbc72da6c144fab6add1f
                                    • Opcode Fuzzy Hash: 63f3a2f0b029f9b31ce7ee1cba3d9b029972e0325d8dad1efa3fdac3c29123ff
                                    • Instruction Fuzzy Hash: 6D01A271500600ABD210DF1ACD46B66FBE8FB88A20F148159EC089BB81D735F955CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: 10930ca9e4132432d88ad1fdaf0425813c5f6139e3cec0f39314f2d5fdebfdf8
                                    • Instruction ID: fb33e1d00d8cad7bb6f726be605890ce30b3297523a6bf1c76c1be30c05c7748
                                    • Opcode Fuzzy Hash: 10930ca9e4132432d88ad1fdaf0425813c5f6139e3cec0f39314f2d5fdebfdf8
                                    • Instruction Fuzzy Hash: E801F132800280CFEB20CF15D844B62FBE4FF08325F08C4AAED498B656C375E018CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131ABEE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID:
                                    • API String ID: 2781271927-0
                                    • Opcode ID: e7a30c11839d740848188719cdf976a8cd79d0a97068e54584f72bdf4e8d0b0e
                                    • Instruction ID: cb84a9c57646f5ebc7b07f04b78eb362efa3f74ab00de95ea5b485a4245491e5
                                    • Opcode Fuzzy Hash: e7a30c11839d740848188719cdf976a8cd79d0a97068e54584f72bdf4e8d0b0e
                                    • Instruction Fuzzy Hash: 9401A271905244CFEF10CF15D884765FBE4EF45325F08C4AAED499F646D279E448CAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0131A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 0131A330
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101566512.000000000131A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_131a000_chargeable.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 648234db8182452c4f731fe2ce84f48c6a703f27c04d0b027c101634a5167792
                                    • Instruction ID: 4ce5c440e68fad94e1be59342424392ecd8c8995aefc7234eeecbf4ebf26fae6
                                    • Opcode Fuzzy Hash: 648234db8182452c4f731fe2ce84f48c6a703f27c04d0b027c101634a5167792
                                    • Instruction Fuzzy Hash: D5F0FF35804684CFEB10CF09D884B61FBE4EF05329F08C49ADD490B756D2B8E408CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014E07DC Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101962571.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_14e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 77d7aad5a9ec8b109d665e4dff97ba34692c3d63fb0a74c4362d03982ced8710
                                    • Instruction ID: 352742d480a5ff9b21722289f012e9b29a2f952d3963c61c53cd7ce49561e97e
                                    • Opcode Fuzzy Hash: 77d7aad5a9ec8b109d665e4dff97ba34692c3d63fb0a74c4362d03982ced8710
                                    • Instruction Fuzzy Hash: E8215E355093C08FCB17CB14C850B55BFB1BF47214F1985EED4898B6A3C77A880ADB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014E0814 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101962571.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_14e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3e04ee485e5f67a58b72e15510a8fc1205b636c99c1102261a793ed4bf777b18
                                    • Instruction ID: 4c73af0f7efbe1f66a3d786059483aaeb3bc470c76645beca4246526c2ec0d8a
                                    • Opcode Fuzzy Hash: 3e04ee485e5f67a58b72e15510a8fc1205b636c99c1102261a793ed4bf777b18
                                    • Instruction Fuzzy Hash: D311D2317042809FD715CB14D584B26BBE5BB89719F28C9AEF4495B763C7BBD803CA81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A225A5 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106354267.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35f29298496c428f4549048289b03a42dc064ab1ebede04f59cb3bbaef39b430
                                    • Instruction ID: 2e1af6d3f90d5c758450f13fab29b9d9466b560a5c8d888bb7ca71cfedc425fd
                                    • Opcode Fuzzy Hash: 35f29298496c428f4549048289b03a42dc064ab1ebede04f59cb3bbaef39b430
                                    • Instruction Fuzzy Hash: 0011C9B5908301AFD340CF19D881A5BFBE4FB98664F04896EF998A7311D235E9148FA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0133B6FC Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101687222.000000000133A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_133a000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 769c3a57da318c9a79450d3962625baf817e9ad5f7cfc56c381688818800193d
                                    • Instruction ID: 642d85774fd3d7d8f773ef15f05ea95eb7e7b6f39a06abde00c41607d7d6555d
                                    • Opcode Fuzzy Hash: 769c3a57da318c9a79450d3962625baf817e9ad5f7cfc56c381688818800193d
                                    • Instruction Fuzzy Hash: 8A11E8B5A08301AFD350CF09D840E5BFBE8EB98660F04C92EF95997311D271E9188FA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014E05E7 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101962571.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_14e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca08b1856d6136041093dd2c7b4a854c2d0a0a4c081075e2263d0c96db6d4717
                                    • Instruction ID: 1c3cbd84e6364daffc444db3d426085cb02604ef8c216e24cb0c4dd4e01c6d66
                                    • Opcode Fuzzy Hash: ca08b1856d6136041093dd2c7b4a854c2d0a0a4c081075e2263d0c96db6d4717
                                    • Instruction Fuzzy Hash: E5F0A9B65097805FD7118B15AC40862FFB8EF96630709C49FEC4987652D125B908C771
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014E05E0 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101962571.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_14e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3dc262497230b7d098bbecf7b554996fed506eab6d7a59342b32a31bcdff0989
                                    • Instruction ID: 323e06d6780023007f915a9ce562cfd58f90616e86f26861adaacf74f383102c
                                    • Opcode Fuzzy Hash: 3dc262497230b7d098bbecf7b554996fed506eab6d7a59342b32a31bcdff0989
                                    • Instruction Fuzzy Hash: FEF0B4765006049B9710CF0AEC458A7FBD8EB88630708C42EED0947711D235B809CBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014E08D0 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101962571.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_14e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction ID: 389f6b7ffae1675806f73815b17cf46194f86417db5e3aff1b8491823cfa7c71
                                    • Opcode Fuzzy Hash: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction Fuzzy Hash: 7EF0FB35204644DFC706CB04D584B16FBE2FB89718F24CAA9E94917B62C7779813DA81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 014E0606 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101962571.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_14e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5fdd205a93aabab745507a1db147d54baad047f43607badd8ed2f771b53be0cd
                                    • Instruction ID: 3ac0e6a79fa6867b3435cfffea40ba48ec76c769a1c96d26b2a63fd54a9f5e05
                                    • Opcode Fuzzy Hash: 5fdd205a93aabab745507a1db147d54baad047f43607badd8ed2f771b53be0cd
                                    • Instruction Fuzzy Hash: B8E092B66006048B9750CF0AEC41462F7D8EB98630B08C47FDC0D8B701E639B518CAA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A21EB3 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106354267.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eb3f4a68a8fa3ab15ecea0b6ac850796343727c04069b84cdb343feca875e4b1
                                    • Instruction ID: d035d38cc3481b3f8ca0992692829250ccfcf3db778bd71a432c442d40ac9aec
                                    • Opcode Fuzzy Hash: eb3f4a68a8fa3ab15ecea0b6ac850796343727c04069b84cdb343feca875e4b1
                                    • Instruction Fuzzy Hash: 9CE0D8B290060067D210DE069C45F63FBD8DB94930F04C567FD091B742E176B614C9E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A22607 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106354267.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0265dd547baff85701a838a73ed533f0a9f6ec3354d76d43f6daccc594814926
                                    • Instruction ID: f87abca1f65bc9d82792ca33aaff3fb91bf46e082adf02f1ca969d0af7250713
                                    • Opcode Fuzzy Hash: 0265dd547baff85701a838a73ed533f0a9f6ec3354d76d43f6daccc594814926
                                    • Instruction Fuzzy Hash: 06E0D8F254060067D3108E069C46F62FBD8DB94931F04C567ED081B782E175B514C9E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0133B74B Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101687222.000000000133A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_133a000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1a69d636938b1c272b7d846ad80949bd1690bd11e956a90ea562834f945ff63a
                                    • Instruction ID: 114cc1da1d030ff4b5109d75428279aa687edb41e01a3aabb1873bfbfe077f05
                                    • Opcode Fuzzy Hash: 1a69d636938b1c272b7d846ad80949bd1690bd11e956a90ea562834f945ff63a
                                    • Instruction Fuzzy Hash: 59E0D8F254060467D2108E06AC45F62F798DB54931F04C567ED095B742E175B514C9F1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013123F4 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101544666.0000000001312000.00000040.00000800.00020000.00000000.sdmp, Offset: 01312000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_1312000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e109c033cb599d40d8edb3d8ce258bc99a2c44ece0410780aeb27b2e2b17d9c1
                                    • Instruction ID: 002ae06a16bbf6d43272ff69b6ccf82b0d5637c0adc854d3b5660cf5f9244664
                                    • Opcode Fuzzy Hash: e109c033cb599d40d8edb3d8ce258bc99a2c44ece0410780aeb27b2e2b17d9c1
                                    • Instruction Fuzzy Hash: E2D02E792406C04FE31A8E0CC2A8B863BE4BB40708F0A00F9A8008B767CB28E4C4C200
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 013123BC Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4101544666.0000000001312000.00000040.00000800.00020000.00000000.sdmp, Offset: 01312000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_1312000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d544115143a613f5e0ce4b60c5b79b1800e979991d2adb3528ff9682998c8369
                                    • Instruction ID: 08505c762cdae084bfe63cbe12e26a804fb13eac80487d482bd17b8989d5f86a
                                    • Opcode Fuzzy Hash: d544115143a613f5e0ce4b60c5b79b1800e979991d2adb3528ff9682998c8369
                                    • Instruction Fuzzy Hash: 63D05E343406814FD719DE0CD6D4F9A3BD4AB40B19F1648E8AC108B766C7A8D9C4DA00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 052E22D8 Relevance: 12.6, Strings: 9, Instructions: 1370COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.4106017932.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_52e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $ $:@k$:@k$:@k$:@k$:@k$:@k$:@k
                                    • API String ID: 0-1999185200
                                    • Opcode ID: cf9f3a045f332627d75cb7d1c046084fd6a3e984325c71a184e466aac1893071
                                    • Instruction ID: b8c26513271c40985e98d6a747ce7a7f88d2e382c23ba0137dfaa15d467ab51f
                                    • Opcode Fuzzy Hash: cf9f3a045f332627d75cb7d1c046084fd6a3e984325c71a184e466aac1893071
                                    • Instruction Fuzzy Hash: 53B2A034B102148FCB18DB75C858BAE77E3AF98314F1580A9E50A9B3A1CF75ED85CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:20.2%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:126
                                    Total number of Limit Nodes:11
                                    execution_graph 6892 b0baf2 6895 b0bb18 LoadLibraryW 6892->6895 6894 b0bb34 6895->6894 7025 b0bab4 7028 b0baf2 LoadLibraryW 7025->7028 7027 b0bb34 7028->7027 7038 b0a5fb 7039 b0a622 DuplicateHandle 7038->7039 7041 b0a66e 7039->7041 7042 67c0431 7045 67c0462 DrawTextExW 7042->7045 7044 67c04bb 7045->7044 6903 67c0032 6904 67c0082 VerLanguageNameW 6903->6904 6905 67c0090 6904->6905 6906 b0a622 6907 b0a660 DuplicateHandle 6906->6907 6908 b0a698 6906->6908 6909 b0a66e 6907->6909 6908->6907 7054 b0ac22 7057 b0ac52 RegOpenKeyExW 7054->7057 7056 b0ace0 7057->7056 6910 1290070 6911 1290079 6910->6911 6915 12900a0 6911->6915 6920 12900b0 6911->6920 6912 1290093 6917 12900b0 6915->6917 6916 12900cb 6916->6912 6925 1299819 6917->6925 6929 1299828 6917->6929 6921 12900bd 6920->6921 6923 1299819 6 API calls 6921->6923 6924 1299828 6 API calls 6921->6924 6922 12900cb 6922->6912 6923->6922 6924->6922 6926 1299828 6925->6926 6927 129985e 6926->6927 6933 129c77f 6926->6933 6927->6916 6930 129983b 6929->6930 6931 129985e 6930->6931 6932 129c77f 6 API calls 6930->6932 6931->6916 6932->6931 6935 129c740 6933->6935 6934 129c742 6934->6927 6935->6934 6937 129cdbd 6935->6937 6938 129cdc0 6937->6938 6940 129ce7b 6938->6940 6969 67c0cda 6938->6969 6973 67c0ca1 6938->6973 6939 129cf0a 6939->6940 6941 129cf39 6939->6941 6977 67c0dfa 6939->6977 6981 67c0e3e 6939->6981 6940->6934 6985 67c0eb9 6941->6985 6989 67c0ee6 6941->6989 6942 129cf54 6943 129cf63 6942->6943 6962 129cdbd 6 API calls 6942->6962 6943->6940 6965 67c0eb9 NtWriteVirtualMemory 6943->6965 6966 67c0ee6 NtWriteVirtualMemory 6943->6966 6944 129d03f 6944->6940 6954 67c0e3e NtResumeThread 6944->6954 6955 67c0dfa NtResumeThread 6944->6955 6945 129cf90 6945->6940 6945->6944 6952 67c0eb9 NtWriteVirtualMemory 6945->6952 6953 67c0ee6 NtWriteVirtualMemory 6945->6953 6946 129d057 6946->6940 6960 67c0eb9 NtWriteVirtualMemory 6946->6960 6961 67c0ee6 NtWriteVirtualMemory 6946->6961 6947 129d0a6 6963 67c0e3e NtResumeThread 6947->6963 6964 67c0dfa NtResumeThread 6947->6964 6948 129d0c3 6967 67c0e3e NtResumeThread 6948->6967 6968 67c0dfa NtResumeThread 6948->6968 6949 129d0d0 6949->6934 6952->6945 6953->6945 6954->6946 6955->6946 6960->6947 6961->6947 6962->6943 6963->6948 6964->6948 6965->6945 6966->6945 6967->6949 6968->6949 6970 67c0d15 CreateProcessA 6969->6970 6972 67c0dac 6970->6972 6972->6939 6974 67c0cda CreateProcessA 6973->6974 6976 67c0dac 6974->6976 6976->6939 6978 67c0e04 NtResumeThread 6977->6978 6980 67c0e7b 6978->6980 6980->6941 6982 67c0e6d NtResumeThread 6981->6982 6983 67c0ea3 6981->6983 6984 67c0e7b 6982->6984 6983->6982 6984->6941 6986 67c0ee6 NtWriteVirtualMemory 6985->6986 6988 67c0f2c 6986->6988 6988->6942 6990 67c0f1e NtWriteVirtualMemory 6989->6990 6991 67c0f56 6989->6991 6992 67c0f2c 6990->6992 6991->6990 6992->6942 7058 b0a42a 7059 b0a44e SetErrorMode 7058->7059 7061 b0a48f 7059->7061 7029 b0a2ac 7030 b0a2f6 CreateActCtxA 7029->7030 7032 b0a354 7030->7032 7062 b0b42d 7063 b0b45e LoadLibraryShim 7062->7063 7065 b0b4b8 7063->7065 7066 b0bd10 7067 b0bd32 GetFileVersionInfoW 7066->7067 7069 b0bd84 7067->7069 7070 b0ad19 7071 b0ad5a RegQueryValueExW 7070->7071 7073 b0ade3 7071->7073 7046 67c1009 7048 67c1042 PostMessageW 7046->7048 7049 67c108c 7048->7049 7050 67c0007 7051 67c0032 VerLanguageNameW 7050->7051 7053 67c0090 7051->7053 7078 b0bc4b 7080 b0bc82 GetFileVersionInfoSizeW 7078->7080 7081 b0bcc7 7080->7081 7033 1290015 7035 1290070 7033->7035 7034 1290093 7036 12900a0 6 API calls 7035->7036 7037 12900b0 6 API calls 7035->7037 7036->7034 7037->7034 7017 67c1042 7018 67c1077 PostMessageW 7017->7018 7019 67c10a2 7017->7019 7020 67c108c 7018->7020 7019->7018 7021 b0a44e 7022 b0a4a3 7021->7022 7023 b0a47a SetErrorMode 7021->7023 7022->7023 7024 b0a48f 7023->7024

                                    Executed Functions

                                    Function 012900E0 Relevance: 9.1, Instructions: 9140COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1926 12900e0-1291855 2405 129185c-1292b7b 1926->2405 2597 1292b82-1298c8d 2405->2597 3597 1298c94-1298c9c 2597->3597 3598 1298ca4-12997f0 3597->3598 3849 12997f7 3598->3849 3850 12997fe-1299804 3849->3850
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816518030.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_1290000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3f2c2bdb894ab614eb42b55b2a0c7f864a5056c7f4a5a062a788c6a29dd2108e
                                    • Instruction ID: 524eefab43f886001f7bd35bbee47d6b871de0b1299c79e91ec07b1e40457044
                                    • Opcode Fuzzy Hash: 3f2c2bdb894ab614eb42b55b2a0c7f864a5056c7f4a5a062a788c6a29dd2108e
                                    • Instruction Fuzzy Hash: 75142834600604DFE765DB30C954BEAB3B2AF89304F5188A9D55AAB361CF36EE85CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012998A0 Relevance: 2.7, Instructions: 2694COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3851 12998a0-129b2cd 4366 129b2d4-129c61c 3851->4366
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816518030.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_1290000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 63f9813af54ab3e55331b1f87e090238cbb97645bdd03efd604746f549f280ad
                                    • Instruction ID: db8e5952e63ce76ce91d1f772108069fcf26801a2aba33e37d1a7aba1bd9650b
                                    • Opcode Fuzzy Hash: 63f9813af54ab3e55331b1f87e090238cbb97645bdd03efd604746f549f280ad
                                    • Instruction Fuzzy Hash: 2F33B5383055108B8A06FF20E6507AE7BB7A7895583949745C9118BBCCCF39FE6B8BC5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01299828 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4747 1299828-129982f 4759 1299835 call 12e026d 4747->4759 4760 1299835 call 12e0606 4747->4760 4761 1299835 call 12998a0 4747->4761 4762 1299835 call 12e05e0 4747->4762 4763 1299835 call 12e05c0 4747->4763 4764 1299835 call 12e05d0 4747->4764 4748 129983b-1299857 4765 1299859 call 129c77f 4748->4765 4766 1299859 call 129c620 4748->4766 4767 1299859 call 129c630 4748->4767 4752 129985e-1299862 4753 129987c-129988c 4752->4753 4754 1299864-129986a 4752->4754 4757 1299897-129989a 4753->4757 4755 129986c 4754->4755 4756 129986e-129987a 4754->4756 4755->4753 4756->4753 4759->4748 4760->4748 4761->4748 4762->4748 4763->4748 4764->4748 4765->4752 4766->4752 4767->4752
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816518030.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_1290000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Bl$\Bl
                                    • API String ID: 0-3137230522
                                    • Opcode ID: b692ca4b0da179c7f86e3e37ec72262bea55183923a4496ac5140f41d20330ce
                                    • Instruction ID: df1757cfcf1de96537257f5435d867b20e3b1d0396e00023eb8b73c5a1682d8e
                                    • Opcode Fuzzy Hash: b692ca4b0da179c7f86e3e37ec72262bea55183923a4496ac5140f41d20330ce
                                    • Instruction Fuzzy Hash: 9AF04635B402109BCB2062AD9802BAD32C68BCCB64F61402EE601EF784CEB2EC0243D9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0AC22 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4803 b0ac22-b0acad 4807 b0acb2-b0acc9 4803->4807 4808 b0acaf 4803->4808 4810 b0ad0b-b0ad10 4807->4810 4811 b0accb-b0acde RegOpenKeyExW 4807->4811 4808->4807 4810->4811 4812 b0ace0-b0ad08 4811->4812 4813 b0ad12-b0ad17 4811->4813 4813->4812
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B0ACD1
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: db7cfaf619d996b5150d1d709ad0fa38a1001cdf79986cb0d9fe271f2a68ec4b
                                    • Instruction ID: 4f3dd50a43dea07fe3e70d127e11c3f15f76e67dc8395fb985466ef1ae6eb61d
                                    • Opcode Fuzzy Hash: db7cfaf619d996b5150d1d709ad0fa38a1001cdf79986cb0d9fe271f2a68ec4b
                                    • Instruction Fuzzy Hash: 3A31A471404384AFE7228B11CC45FA7BFFCEF05310F0884AAE9859B652D264E94DCB71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0AD19 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4818 b0ad19-b0ad97 4821 b0ad99 4818->4821 4822 b0ad9c-b0ada5 4818->4822 4821->4822 4823 b0ada7 4822->4823 4824 b0adaa-b0adb0 4822->4824 4823->4824 4825 b0adb2 4824->4825 4826 b0adb5-b0adcc 4824->4826 4825->4826 4828 b0ae03-b0ae08 4826->4828 4829 b0adce-b0ade1 RegQueryValueExW 4826->4829 4828->4829 4830 b0ade3-b0ae00 4829->4830 4831 b0ae0a-b0ae0f 4829->4831 4831->4830
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,A6511C83,00000000,00000000,00000000,00000000), ref: 00B0ADD4
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 6703db3446aa0f8c1c7788473d2c6132ff653f3b5cd629bbf2ce63b43e77314d
                                    • Instruction ID: 526e25743548a5735951293c043fa0fea3bb8f496aab08e64c59fc8394019ecc
                                    • Opcode Fuzzy Hash: 6703db3446aa0f8c1c7788473d2c6132ff653f3b5cd629bbf2ce63b43e77314d
                                    • Instruction Fuzzy Hash: 2931B1755087805FD722CF21CC84FA2BFF8EF06314F0888DAE9458B6A2D264E948CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0A2AC Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4835 b0a2ac-b0a2f3 4836 b0a2f6-b0a34e CreateActCtxA 4835->4836 4838 b0a354-b0a36a 4836->4838
                                    APIs
                                    • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00B0A346
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: fba8b20d8b4e849d597d15c6ab3cee37a7bb284cf1349c12ae9022e10ef98822
                                    • Instruction ID: 1c7514e873de678ff1f1f017703292680b92843355633037be97094875cf92e7
                                    • Opcode Fuzzy Hash: fba8b20d8b4e849d597d15c6ab3cee37a7bb284cf1349c12ae9022e10ef98822
                                    • Instruction Fuzzy Hash: A921D77140D3C06FD3138B259C51B62BFB4EF87614F0A81DBE884DB653D224A919C7B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0AC52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4839 b0ac52-b0acad 4842 b0acb2-b0acc9 4839->4842 4843 b0acaf 4839->4843 4845 b0ad0b-b0ad10 4842->4845 4846 b0accb-b0acde RegOpenKeyExW 4842->4846 4843->4842 4845->4846 4847 b0ace0-b0ad08 4846->4847 4848 b0ad12-b0ad17 4846->4848 4848->4847
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B0ACD1
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: 7c6089a962a68e76ec9d066f55819014e65fccb6c92fb09eafc700c08042b850
                                    • Instruction ID: ff1eac6e5468f9ae87ae62ea3edd8b5ab19fdd19a47b349cf3be76c5706ad884
                                    • Opcode Fuzzy Hash: 7c6089a962a68e76ec9d066f55819014e65fccb6c92fb09eafc700c08042b850
                                    • Instruction Fuzzy Hash: 5121CF72500704AFE7209F11DD84FABFBECEF14324F04889AE9459B691D734E84C8AB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0AD5A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4866 b0ad5a-b0ad97 4868 b0ad99 4866->4868 4869 b0ad9c-b0ada5 4866->4869 4868->4869 4870 b0ada7 4869->4870 4871 b0adaa-b0adb0 4869->4871 4870->4871 4872 b0adb2 4871->4872 4873 b0adb5-b0adcc 4871->4873 4872->4873 4875 b0ae03-b0ae08 4873->4875 4876 b0adce-b0ade1 RegQueryValueExW 4873->4876 4875->4876 4877 b0ade3-b0ae00 4876->4877 4878 b0ae0a-b0ae0f 4876->4878 4878->4877
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,A6511C83,00000000,00000000,00000000,00000000), ref: 00B0ADD4
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: b87deaa51f4218b9a9ff5bbbcee99c3119c8159892bafeb98d1d3781b3c035f7
                                    • Instruction ID: 2b7c5f89808a5cd20ef4ae77667d1dd6e99ad98c05d8d7fb9847f43956e413a1
                                    • Opcode Fuzzy Hash: b87deaa51f4218b9a9ff5bbbcee99c3119c8159892bafeb98d1d3781b3c035f7
                                    • Instruction Fuzzy Hash: A221C3765007009FE721CF11DC80FA6FBECEF14710F1885AAE9059B691D760E948CAB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0BAB4 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4893 b0bab4-b0bb16 4895 b0bb18 4893->4895 4896 b0bb1b-b0bb24 4893->4896 4895->4896 4897 b0bb26-b0bb46 LoadLibraryW 4896->4897 4898 b0bb5c-b0bb61 4896->4898 4901 b0bb63-b0bb68 4897->4901 4902 b0bb48-b0bb5b 4897->4902 4898->4897 4901->4902
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 00B0BB2C
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 1dae22d6e72e754743ae896cc1557f1f87c182118b201eaa9f2aa8e418ffe882
                                    • Instruction ID: bee4bf8a867f51d064972ac991348b0f6fd6a89a02bb0be3a04758b81b6daedc
                                    • Opcode Fuzzy Hash: 1dae22d6e72e754743ae896cc1557f1f87c182118b201eaa9f2aa8e418ffe882
                                    • Instruction Fuzzy Hash: 0C215E715093C05FDB128B25DC94B92BFB4DF47314F0984DAE9848F6A7D264A908CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0B42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4904 b0b42d-b0b488 4906 b0b48a 4904->4906 4907 b0b48d-b0b493 4904->4907 4906->4907 4908 b0b495 4907->4908 4909 b0b498-b0b4a1 4907->4909 4908->4909 4910 b0b4a3-b0b4b6 LoadLibraryShim 4909->4910 4911 b0b4ce-b0b4d3 4909->4911 4912 b0b4d5-b0b4da 4910->4912 4913 b0b4b8-b0b4cb 4910->4913 4911->4910 4912->4913
                                    APIs
                                    • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00B0B4A9
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoadShim
                                    • String ID:
                                    • API String ID: 1475914169-0
                                    • Opcode ID: 21c923907d48790434b7d5f2684adba5506e835004993cfc3154ccaaf17ed552
                                    • Instruction ID: 4a66fcae64cc8e74dd2076a4031dce90783a6f2e34d6dafe1927e21d8d0099c5
                                    • Opcode Fuzzy Hash: 21c923907d48790434b7d5f2684adba5506e835004993cfc3154ccaaf17ed552
                                    • Instruction Fuzzy Hash: 26218EB15097805FDB228F25DC85B62BFF8EF56714F0880DAE9848B293D365E908CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00B0BCBF
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoSizeVersion
                                    • String ID:
                                    • API String ID: 1661704012-0
                                    • Opcode ID: 535b033f53f1421ca7e62daf3ab5fcfb3b623fe4f4d3bcd088cd0503e94808ab
                                    • Instruction ID: 64d1bc3daa8137a754bcf16bf426ef5c1add5861effc24020496749cca46f418
                                    • Opcode Fuzzy Hash: 535b033f53f1421ca7e62daf3ab5fcfb3b623fe4f4d3bcd088cd0503e94808ab
                                    • Instruction Fuzzy Hash: FD2193B15093809FEB21CF25DC45B52BFF4EF46314F0984DAE8848F263D274A909CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0A666
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: ec5a5a892e5b0fd74b24b0226eac957870ed6c33809941272f35329f5d95d155
                                    • Instruction ID: c49ee52f11a8bdf2193aee946c1cfbae556101f06f72d7533c283d823ce4ae9a
                                    • Opcode Fuzzy Hash: ec5a5a892e5b0fd74b24b0226eac957870ed6c33809941272f35329f5d95d155
                                    • Instruction Fuzzy Hash: 27118471409780AFDB228F51DC44B62FFF8EF4A310F0888DAED858B562D275A518DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00B0BD75
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion
                                    • String ID:
                                    • API String ID: 2427832333-0
                                    • Opcode ID: 74e8a9d8270cd85a2c42ad5618785a4f78bf2cd729fd88a4a6b5c9b2021de25e
                                    • Instruction ID: 9b9f40574efab292b7418741fafa47fd78f2ef6874db828a7f76f756b5e6b288
                                    • Opcode Fuzzy Hash: 74e8a9d8270cd85a2c42ad5618785a4f78bf2cd729fd88a4a6b5c9b2021de25e
                                    • Instruction Fuzzy Hash: BE11B271504780AFDB218F15DC44F62FFF8EF56724F08809EED858B662D261E908CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 00B0A480
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: f3f1ebac92f28bcf6b66cf2a77f0af2768f302245bb65a87b70bfd91c773e652
                                    • Instruction ID: 0a0fbdf20c10a884c7c0e150b885aec5c7d3772919b5b1fbc52043fd64bd0ca8
                                    • Opcode Fuzzy Hash: f3f1ebac92f28bcf6b66cf2a77f0af2768f302245bb65a87b70bfd91c773e652
                                    • Instruction Fuzzy Hash: 48018475408384AFDB228F15DC44B62FFF8EF56724F0884DAED855B252D275A908CB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00B0BD75
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoVersion
                                    • String ID:
                                    • API String ID: 2427832333-0
                                    • Opcode ID: cd46f4c777512e8002d82931c620c3734137aa7179e9310e34573c06627fef30
                                    • Instruction ID: 2586e69f6217081f95e3652dfb4ebbe9132b317b1efc517465ed877df3ce2e41
                                    • Opcode Fuzzy Hash: cd46f4c777512e8002d82931c620c3734137aa7179e9310e34573c06627fef30
                                    • Instruction Fuzzy Hash: 35019E76A006008FDB608F16D884B56FFE4EF14720F08C1EAED458B7A2D375E808CE62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00B0B4A9
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoadShim
                                    • String ID:
                                    • API String ID: 1475914169-0
                                    • Opcode ID: 826f91e06c936ec74aea8af6520e8110927b0332c2f4b0e275d3cb7a50eae531
                                    • Instruction ID: 92bbf4f84b3fd5afb4eac64c6d75e23721901fd610b017c93c4148a96d9e1cb6
                                    • Opcode Fuzzy Hash: 826f91e06c936ec74aea8af6520e8110927b0332c2f4b0e275d3cb7a50eae531
                                    • Instruction Fuzzy Hash: A7016D769006008FEB60CF15D885F66FBE8EF14720F0880D9ED498B792D374E908CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0A666
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 780b1e09dd9808a597ca324562b7a383f2e23c0cf0c60a0252789611b9e0d75c
                                    • Instruction ID: 14030ec298080724eb0efd49f9de6315c5d403dbf782cf6b9ddb77b37f20fe73
                                    • Opcode Fuzzy Hash: 780b1e09dd9808a597ca324562b7a383f2e23c0cf0c60a0252789611b9e0d75c
                                    • Instruction Fuzzy Hash: DD018B329007009FDB218F51D984B56FFF4EF09320F08C9AAED498A651D236E418DF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00B0BCBF
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: FileInfoSizeVersion
                                    • String ID:
                                    • API String ID: 1661704012-0
                                    • Opcode ID: d630611f8c53e613f5e177113c59d1a89760e209884d790587fda8c0100d2063
                                    • Instruction ID: f1a4c2c3a13276cdd1b3be251eb9b469f12d151e34628e25332335d4046f9428
                                    • Opcode Fuzzy Hash: d630611f8c53e613f5e177113c59d1a89760e209884d790587fda8c0100d2063
                                    • Instruction Fuzzy Hash: 4901BC719002008FEB20DF16D884B66FFE8EF14320F18C4EADD499B392D779E804CAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 00B0BB2C
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: ad12f27d50c6ca652f98536f9e43c64a80681b3d8bf7af20196d3b15a0f37e93
                                    • Instruction ID: ed017e0a53cd6e50a1b1c2ee369277386aeba5920c9e951dbaeac0ed915a1e86
                                    • Opcode Fuzzy Hash: ad12f27d50c6ca652f98536f9e43c64a80681b3d8bf7af20196d3b15a0f37e93
                                    • Instruction Fuzzy Hash: 880171719042408FDB50CF15D884B66FFD4EF54320F18C4EADD499B79AD378E804CAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00B0A346
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 1e2434b992d1f6c26002c756be8d5adee5ca53c02a579eaf51978ab8a5b7b98b
                                    • Instruction ID: bb31e0f8cca767adfe3b434230669873b862c5d885cd0e72dcc9ab58ff56a4f1
                                    • Opcode Fuzzy Hash: 1e2434b992d1f6c26002c756be8d5adee5ca53c02a579eaf51978ab8a5b7b98b
                                    • Instruction Fuzzy Hash: 9801D671900600ABD310DF16CD86B66FBE8FB88B20F148159ED089BB41D731F955CBE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B0A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 00B0A480
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815467703.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b0a000_chargeable.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: e9282ab1ce00aa0f641b02ba9e54e70a5a6ab680b5d183e53bff60d7babf53ac
                                    • Instruction ID: 3d0d26fb5a31fd6b23124adb7e9c98ad799f25f5ca942fd99cb979a7e4894a78
                                    • Opcode Fuzzy Hash: e9282ab1ce00aa0f641b02ba9e54e70a5a6ab680b5d183e53bff60d7babf53ac
                                    • Instruction Fuzzy Hash: F1F081799047408FDB108F06E888769FFE4DF55324F18C4EADD454B792D2B9E408CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E026D Relevance: .4, Instructions: 435COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be04f7a671137822ee299a56fd2709daa6627916257e4a295cd3a9acf825bb45
                                    • Instruction ID: 7bd94b0f016bcb30cba2593fa6b87dfd949e8bc6dc84c7df68c45c18f4420b0b
                                    • Opcode Fuzzy Hash: be04f7a671137822ee299a56fd2709daa6627916257e4a295cd3a9acf825bb45
                                    • Instruction Fuzzy Hash: B9219E6155E3C58FD3038B749C251A0BFB0AE13221B0E85EBC484CF5A3E26D5D8AC772
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0129CB00 Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816518030.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_1290000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5acb623c7a9d53825cee6fdcb970658201de6184f80899f0a1c5a4d099b0c9e7
                                    • Instruction ID: 70d39f354f6b354ab1bae31b58c708c2d03d8eec282b5b383f3f97f588977a03
                                    • Opcode Fuzzy Hash: 5acb623c7a9d53825cee6fdcb970658201de6184f80899f0a1c5a4d099b0c9e7
                                    • Instruction Fuzzy Hash: B331C630B2414A8BEF259B7D84797BE7EE29B89214F18406DC502E7791DF708C16DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0129C7E1 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816518030.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_1290000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 403b629c0cfd9517df412d94f1ae60e2bdf3ec52faa79c25dca92259cba611e5
                                    • Instruction ID: dbc2576c5464281aaafe8e6b33461421e0a9b0f3b542cfff2e19f4bc7e45ffa7
                                    • Opcode Fuzzy Hash: 403b629c0cfd9517df412d94f1ae60e2bdf3ec52faa79c25dca92259cba611e5
                                    • Instruction Fuzzy Hash: 1F310134B042428FCF16EB6CD954ABEBBB1FF88314B10812AD905DB795DB30AD54CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E076C Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e61a5558d772c19f7a81c284b5b04092ef391683c352f4fb4ac1879b5e8bfb7e
                                    • Instruction ID: 700d45384419a78874e3e3dc47da3e028e55fe9cfba9f82cc37335eb51cf4f5f
                                    • Opcode Fuzzy Hash: e61a5558d772c19f7a81c284b5b04092ef391683c352f4fb4ac1879b5e8bfb7e
                                    • Instruction Fuzzy Hash: 3C110230354281DFD705CB14C988B26BBD1EB89718F24C59CF6491BB42C7BBD803CA95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E073C Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c2d8ca02dac09a38d9425f3e373395c257e7c382f97891ad9c76a0207b0d1d05
                                    • Instruction ID: 0c2b1521878fe91e16af5609cf32a0560d8f024eac25db7afc95d364a31cd4a3
                                    • Opcode Fuzzy Hash: c2d8ca02dac09a38d9425f3e373395c257e7c382f97891ad9c76a0207b0d1d05
                                    • Instruction Fuzzy Hash: 99216A3524D3C19FC7178B24C964B15BFB1AF47214F2989DEE4848B6A3C27A8807CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E0712 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5fa93b73b557f9c59a2ef36f01cc6f9a1fa398cc9f9295857c3e3791f00e6cc3
                                    • Instruction ID: 637d5153dbc23998acfb5d4e759537791f286deda9e55838815d05091fb9717e
                                    • Opcode Fuzzy Hash: 5fa93b73b557f9c59a2ef36f01cc6f9a1fa398cc9f9295857c3e3791f00e6cc3
                                    • Instruction Fuzzy Hash: BD215E3525D3C18FC707CB24D994B15BFB1AF46204F2885DEE5854B6A3C37A8807CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E05E0 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61de8e8c199632682b8db24d8a6c1a55c1036bafb66bba035cbbaad428a4ef8c
                                    • Instruction ID: 2ae11d78a294b6b388b0bee3a51916015cb0068376eff2a6c60cd032310bfbe2
                                    • Opcode Fuzzy Hash: 61de8e8c199632682b8db24d8a6c1a55c1036bafb66bba035cbbaad428a4ef8c
                                    • Instruction Fuzzy Hash: C401A7B65497805FD7128B15EC40893BFF8DF8623070984EBEC488B612D175A909CB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E0828 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction ID: 89ccdf9810db98aeee03bf166fd8843df214e7da2baf418a0552f6fddc3c1946
                                    • Opcode Fuzzy Hash: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                    • Instruction Fuzzy Hash: 09F06D35244645DFC306CB04D980B15FBE2EB88718F24CAADE94907752C777D813DE85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E05C0 Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 995e382257cabb3e6fe11b825c06d8146d3ad58c24eb37451c526dc06b36c754
                                    • Instruction ID: 7239784b7baeb1b7ab9a3872132942543b4f08e39e97c440538674c3a030063c
                                    • Opcode Fuzzy Hash: 995e382257cabb3e6fe11b825c06d8146d3ad58c24eb37451c526dc06b36c754
                                    • Instruction Fuzzy Hash: 25F0A072A056408FDB61CF0AED405A1FBD0EB90330B18C4ABDC098B712D639E649CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E0606 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b2b25d40b04171094f65480fb9c36d15ce0e222660e22a357b9871a44bfa3e7
                                    • Instruction ID: 17b470e0b1ecfd9464d354e9c192823384f6a849644a8b35809940b520187f31
                                    • Opcode Fuzzy Hash: 5b2b25d40b04171094f65480fb9c36d15ce0e222660e22a357b9871a44bfa3e7
                                    • Instruction Fuzzy Hash: 64E092B6A046044B9750DF0AFC81452F7D8EB88630708C07FDC0D8B711D635F508CAA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 012E05D0 Relevance: .0, Instructions: 25COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816574160.00000000012E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_12e0000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fd0db229e49b3b671c4fd1f556dd7ae6247dac67652102d5e1cfd87ea3279d54
                                    • Instruction ID: 01633634b476a116a96dae5fe24bfb76c1c455a7266f397cc4b4dbeefc67402d
                                    • Opcode Fuzzy Hash: fd0db229e49b3b671c4fd1f556dd7ae6247dac67652102d5e1cfd87ea3279d54
                                    • Instruction Fuzzy Hash: 27E02632A106848FDB10CB0DFC001A5B380EB90230F1880BFDC098B701E63AE648CB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B023F4 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815417844.0000000000B02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B02000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b02000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cfdca6b5b9b90cfa4475089283f3eae24695f711a54462201f7e91b60d86d8f8
                                    • Instruction ID: 87aa6c1b001a6023cdc8a49447e70a24d95e623e4ac9c9be17acac1625e529f0
                                    • Opcode Fuzzy Hash: cfdca6b5b9b90cfa4475089283f3eae24695f711a54462201f7e91b60d86d8f8
                                    • Instruction Fuzzy Hash: 99D05E792056C14FD3169F1CD2A9B993BD4BB51718F4A44F9AC408B7B3C768D9C9D600
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00B023BC Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1815417844.0000000000B02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B02000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_b02000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a0373ac5d6b5789d08799d41b39c01d46b5ca905c766b26d192d77734e37a73
                                    • Instruction ID: bdff66a8b310cb35bcfcdc316e69ca2093bf002e201b72a2fcadfaf6e138b9ee
                                    • Opcode Fuzzy Hash: 9a0373ac5d6b5789d08799d41b39c01d46b5ca905c766b26d192d77734e37a73
                                    • Instruction Fuzzy Hash: DDD05E343406814FCB15DF0CD2D8F593BD8AB40B15F0644E8AC108B7A2C7B8D9C8CA00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0129C7C0 Relevance: .0, Instructions: 9COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1816518030.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_1290000_chargeable.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c5433853e323fc0df81c3313c9a687985bca3f51186a1cc68804f3ef749f3ed9
                                    • Instruction ID: 3b282c26e75d18114b3149f0b826fcd7f2030cc9058b19223ba727883eee8525
                                    • Opcode Fuzzy Hash: c5433853e323fc0df81c3313c9a687985bca3f51186a1cc68804f3ef749f3ed9
                                    • Instruction Fuzzy Hash: 2EC0924BA4E2C0DFCB1382741C6C2D63F70DF532047CD04EA94C1CA162E08D486B8362
                                    Uniqueness

                                    Uniqueness Score: -1.00%