Edit tour

Windows Analysis Report
SjMIbKjuDL.exe

Overview

General Information

Sample name:	SjMIbKjuDL.exe renamed because original name is a hash value
Original sample name:	21d48723fd950d9b624103ee4dd625f8.exe
Analysis ID:	1425839
MD5:	21d48723fd950d9b624103ee4dd625f8
SHA1:	c8464eb2e1c60294cc2130143802dde486cfe215
SHA256:	b28b6fb51ad601426665371ccd212a0038865c40f73b76cc1adba27da491cebf
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Disables zone checking for all users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SjMIbKjuDL.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\SjMIbKjuDL.exe" MD5: 21D48723FD950D9B624103EE4DD625F8)

chargeable.exe (PID: 2836 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 8333797879EB8B484866624323C08DE3)

chargeable.exe (PID: 6472 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 8333797879EB8B484866624323C08DE3)

netsh.exe (PID: 1544 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chargeable.exe (PID: 6740 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 8333797879EB8B484866624323C08DE3)

chargeable.exe (PID: 7112 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 8333797879EB8B484866624323C08DE3)

SjMIbKjuDL.exe (PID: 2496 cmdline: "C:\Users\user\Desktop\SjMIbKjuDL.exe" MD5: 21D48723FD950D9B624103EE4DD625F8)

chargeable.exe (PID: 344 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 8333797879EB8B484866624323C08DE3)

chargeable.exe (PID: 6160 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 8333797879EB8B484866624323C08DE3)

SjMIbKjuDL.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\SjMIbKjuDL.exe" MD5: 21D48723FD950D9B624103EE4DD625F8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Njrat_1	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3a9a:$a1: get_Registry 0x4b76:$a2: SEE_MASK_NOZONECHECKS 0x4c72:$a3: Download ERROR 0x4b38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4aca:$a5: netsh firewall delete allowedprogram "
00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4ba6:$a1: netsh firewall add allowedprogram 0x4b76:$a2: SEE_MASK_NOZONECHECKS 0x4e20:$b1: [TAP] 0x4b38:$c3: cmd.exe /c ping
00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b76:$reg: SEE_MASK_NOZONECHECKS 0x4c4e:$msg: Execute ERROR 0x4caa:$msg: Execute ERROR 0x4b38:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x4070e:$a1: get_Registry 0x417ea:$a2: SEE_MASK_NOZONECHECKS 0x418e6:$a3: Download ERROR 0x417ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4173e:$a5: netsh firewall delete allowedprogram "
00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4181a:$a1: netsh firewall add allowedprogram 0x417ea:$a2: SEE_MASK_NOZONECHECKS 0x41a94:$b1: [TAP] 0x417ac:$c3: cmd.exe /c ping
00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x417ea:$reg: SEE_MASK_NOZONECHECKS 0x418c2:$msg: Execute ERROR 0x4191e:$msg: Execute ERROR 0x417ac:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x4070a:$a1: get_Registry 0x417e6:$a2: SEE_MASK_NOZONECHECKS 0x418e2:$a3: Download ERROR 0x417a8:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4173a:$a5: netsh firewall delete allowedprogram "
0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x41816:$a1: netsh firewall add allowedprogram 0x417e6:$a2: SEE_MASK_NOZONECHECKS 0x41a90:$b1: [TAP] 0x417a8:$c3: cmd.exe /c ping
0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x417e6:$reg: SEE_MASK_NOZONECHECKS 0x418be:$msg: Execute ERROR 0x4191a:$msg: Execute ERROR 0x417a8:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 2836	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 6472	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 7112	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 344	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.chargeable.exe.330da70.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.chargeable.exe.330da70.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
6.2.chargeable.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.chargeable.exe.330da70.0.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
6.2.chargeable.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
12.2.chargeable.exe.330da70.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
6.2.chargeable.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
12.2.chargeable.exe.330da70.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.chargeable.exe.330da70.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
6.2.chargeable.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
6.2.chargeable.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
6.2.chargeable.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
12.2.chargeable.exe.330da70.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.chargeable.exe.330da70.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1e9a:$a1: get_Registry 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3072:$a3: Download ERROR 0x2f38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2eca:$a5: netsh firewall delete allowedprogram "
12.2.chargeable.exe.330da70.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x3090:$s3: Executed As 0x3072:$s6: Download ERROR
12.2.chargeable.exe.330da70.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2fa6:$a1: netsh firewall add allowedprogram 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3220:$b1: [TAP] 0x2f38:$c3: cmd.exe /c ping
12.2.chargeable.exe.330da70.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f76:$reg: SEE_MASK_NOZONECHECKS 0x304e:$msg: Execute ERROR 0x30aa:$msg: Execute ERROR 0x2f38:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.chargeable.exe.330da70.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2eca:$s1: netsh firewall delete allowedprogram 0x2fa6:$s2: netsh firewall add allowedprogram 0x2f38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x304e:$s4: Execute ERROR 0x30aa:$s4: Execute ERROR 0x3072:$s5: Download ERROR 0x31d6:$s6: [kl]
2.2.chargeable.exe.369da74.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.chargeable.exe.369da74.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1e9a:$a1: get_Registry 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3072:$a3: Download ERROR 0x2f38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2eca:$a5: netsh firewall delete allowedprogram "
2.2.chargeable.exe.369da74.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x3090:$s3: Executed As 0x3072:$s6: Download ERROR
2.2.chargeable.exe.369da74.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2fa6:$a1: netsh firewall add allowedprogram 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3220:$b1: [TAP] 0x2f38:$c3: cmd.exe /c ping
2.2.chargeable.exe.369da74.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f76:$reg: SEE_MASK_NOZONECHECKS 0x304e:$msg: Execute ERROR 0x30aa:$msg: Execute ERROR 0x2f38:$ping: cmd.exe /c ping 0 -n 2 & del
2.2.chargeable.exe.369da74.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2eca:$s1: netsh firewall delete allowedprogram 0x2fa6:$s2: netsh firewall add allowedprogram 0x2f38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x304e:$s4: Execute ERROR 0x30aa:$s4: Execute ERROR 0x3072:$s5: Download ERROR 0x31d6:$s6: [kl]
2.2.chargeable.exe.369da74.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.chargeable.exe.369da74.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
2.2.chargeable.exe.369da74.0.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
2.2.chargeable.exe.369da74.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
2.2.chargeable.exe.369da74.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
2.2.chargeable.exe.369da74.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\confuse\chargeable.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SjMIbKjuDL.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse

Snort Signatures

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 41.248.119.194

Timestamp:	04/15/24-00:32:20.305773
SID:	2033132
Source Port:	49740
Destination Port:	10000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 41.248.119.194

Timestamp:	04/15/24-00:36:04.171156
SID:	2814860
Source Port:	49740
Destination Port:	10000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 41.248.119.194

Timestamp:	04/15/24-00:36:00.040896
SID:	2825564
Source Port:	49740
Destination Port:	10000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SjMIbKjuDL.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for submitted file

Source: SjMIbKjuDL.exe	Virustotal: Detection: 82%			Perma Link
Source: SjMIbKjuDL.exe	ReversingLabs: Detection: 89%

Yara detected Njrat

Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SjMIbKjuDL.exe

Joe Sandbox ML: detected

Source: SjMIbKjuDL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: SjMIbKjuDL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 41.248.119.194:10000
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 41.248.119.194:10000
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49740 -> 41.248.119.194:10000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: doddyfire.linkpc.net

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 41.248.119.194:10000

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: doddyfire.linkpc.net

Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp, SjMIbKjuDL.exe, 00000000.00000002.1756553383.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.chargeable.exe.369da74.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_05930E3E NtResumeThread,	2_2_05930E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_05930EE6 NtWriteVirtualMemory,	2_2_05930EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_05930EB9 NtWriteVirtualMemory,	2_2_05930EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_05930DFA NtResumeThread,	2_2_05930DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_05260E3E NtResumeThread,	4_2_05260E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_05260EE6 NtWriteVirtualMemory,	4_2_05260EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_05260EB9 NtWriteVirtualMemory,	4_2_05260EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_05260DFA NtResumeThread,	4_2_05260DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_054E0EE6 NtWriteVirtualMemory,	12_2_054E0EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_054E0E3E NtResumeThread,	12_2_054E0E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_054E0DFA NtResumeThread,	12_2_054E0DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_054E0EB9 NtWriteVirtualMemory,	12_2_054E0EB9

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Code function: 3_2_054D22D8

3_2_054D22D8

Source: SjMIbKjuDL.exe, 00000000.00000002.1756943945.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000002.1756943945.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000002.1756943945.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000002.1756943945.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb6052.dll4 vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000002.1757088773.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1.exe0 vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000002.1756265050.000000000083E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000000.1659084051.00000000000BE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe0 vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000000.1659060144.00000000000A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe0 vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 00000000.00000002.1757965777.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameb6052.dll4 vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 0000000B.00000002.1937787978.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 0000000B.00000002.1937787978.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 0000000B.00000002.1937787978.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 0000000E.00000002.2125322171.00000000028A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 0000000E.00000002.2125322171.00000000028A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe, 0000000E.00000002.2125322171.00000000028A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs SjMIbKjuDL.exe
Source: SjMIbKjuDL.exe	Binary or memory string: OriginalFilename1.exe0 vs SjMIbKjuDL.exe

Source: SjMIbKjuDL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: SjMIbKjuDL.exe, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: chargeable.exe.0.dr, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: 0.2.SjMIbKjuDL.exe.38c7ef0.1.raw.unpack, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: 0.2.SjMIbKjuDL.exe.38e3110.2.raw.unpack, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@16/4@1/1

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_05622912 AdjustTokenPrivileges,		3_2_05622912
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_056228DB AdjustTokenPrivileges,		3_2_056228DB

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

File created: C:\Users\user\AppData\Roaming\confuse

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Mutant created: \Sessions\1\BaseNamedObjects\e1a87040f2026369a233f9ae76301b7b
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: SjMIbKjuDL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SjMIbKjuDL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SjMIbKjuDL.exe	Virustotal: Detection: 82%
Source: SjMIbKjuDL.exe	ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

File read: C:\Users\user\Desktop\SjMIbKjuDL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SjMIbKjuDL.exe "C:\Users\user\Desktop\SjMIbKjuDL.exe"
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\SjMIbKjuDL.exe "C:\Users\user\Desktop\SjMIbKjuDL.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: unknown	Process created: C:\Users\user\Desktop\SjMIbKjuDL.exe "C:\Users\user\Desktop\SjMIbKjuDL.exe"
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Section loaded: shfolder.dll

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: SjMIbKjuDL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: SjMIbKjuDL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.2.chargeable.exe.369da74.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 12.2.chargeable.exe.330da70.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: SjMIbKjuDL.exe	Static PE information: section name: .l2
Source: chargeable.exe.0.dr	Static PE information: section name: .l2

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_017BCDBC push ebx; retf	2_2_017BCDC3
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_017BCDF1 push ebx; retf	2_2_017BCDF8
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_017BCDAA push ebx; retf	2_2_017BCDB1
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_017BCDE2 push ebx; retf	2_2_017BCDE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_017BCDCE push ebx; retf	2_2_017BCDD5

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

File created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse			Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain			Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain	Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: 800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 35D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 17F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 16D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 32D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 52D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 4EC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1710000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: 4C60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 13D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 2F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 4F80000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: B10000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Memory allocated: BB0000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 353	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 3739	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 5372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6644	Thread sleep count: 353 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6644	Thread sleep time: -353000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 5804	Thread sleep count: 3739 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6644	Thread sleep count: 5372 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6644	Thread sleep time: -5372000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 4312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe TID: 2500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 4564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 1016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe TID: 7076	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Thread delayed: delay time: 922337203685477

Source: chargeable.exe, 00000003.00000002.4132563437.0000000001353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWnt, System.Ser
Source: netsh.exe, 00000007.00000002.1866596442.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: chargeable.exe, 00000003.00000002.4132563437.0000000001353000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 0.2.SjMIbKjuDL.exe.7c00000.3.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 0.2.SjMIbKjuDL.exe.291c09c.0.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 2.2.chargeable.exe.362c2fc.1.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 12.2.chargeable.exe.329c2f8.1.raw.unpack, D.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 0.2.SjMIbKjuDL.exe.7c00000.3.raw.unpack, D.cs	Reference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, (uint)(ptr2 + 80), 12288u, 64u)
Source: 0.2.SjMIbKjuDL.exe.7c00000.3.raw.unpack, D.cs	Reference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, (uint)(ptr2 + 84), IntPtr.Zero)
Source: 0.2.SjMIbKjuDL.exe.7c00000.3.raw.unpack, D.cs	Reference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 2.2.chargeable.exe.369da74.0.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior

Source: chargeable.exe, 00000003.00000002.4134329459.000000000334A000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4134329459.000000000371D000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4134329459.000000000380E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: chargeable.exe, 00000003.00000002.4134329459.000000000334A000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4134329459.000000000371D000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4134329459.000000000380E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SjMIbKjuDL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.chargeable.exe.330da70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.369da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	212 Process Injection	31 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	212 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SjMIbKjuDL.exe	82%	Virustotal		Browse
SjMIbKjuDL.exe	89%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
SjMIbKjuDL.exe	100%	Avira	TR/Dropper.Gen
SjMIbKjuDL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\confuse\chargeable.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\confuse\chargeable.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
doddyfire.linkpc.net	41.248.119.194	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
doddyfire.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp, SjMIbKjuDL.exe, 00000000.00000002.1756553383.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	SjMIbKjuDL.exe, 00000000.00000002.1757449158.0000000005CD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
41.248.119.194	doddyfire.linkpc.net	Morocco		36903	MT-MPLSMA	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1425839
Start date and time:	2024-04-15 00:31:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SjMIbKjuDL.exe renamed because original name is a hash value
Original Sample Name:	21d48723fd950d9b624103ee4dd625f8.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@16/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 229 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:32:51	API Interceptor	992254x Sleep call for process: chargeable.exe modified
23:32:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
23:32:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\SjMIbKjuDL.exe
23:32:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
23:32:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\SjMIbKjuDL.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
doddyfire.linkpc.net	ctVXvVgUrO.exe	Get hash	malicious	Njrat	Browse	41.249.48.248
	j76l1AiIHm.exe	Get hash	malicious	Njrat	Browse	41.249.48.248
	QpcOa13BU1.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	z9gxPEpWws.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	7Hr9O6jK2l.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	tuYTv9rjMX.exe	Get hash	malicious	Njrat	Browse	160.178.39.123
	eDafoy5XIk.exe	Get hash	malicious	Njrat	Browse	160.178.39.123
	KSqpu62vE4.exe	Get hash	malicious	Njrat	Browse	160.178.39.123
	VDPIYNN1uz.exe	Get hash	malicious	Njrat	Browse	160.178.39.123
	hzapnLzS07.exe	Get hash	malicious	Njrat	Browse	105.154.98.75

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MT-MPLSMA	EYhvUxUIsT.elf	Get hash	malicious	Mirai	Browse	41.248.235.159
	2EFEN3j6ml.elf	Get hash	malicious	Unknown	Browse	41.143.59.124
	ye7FfR856w.elf	Get hash	malicious	Mirai	Browse	41.248.235.170
	mBUFKJts6X.elf	Get hash	malicious	Mirai	Browse	41.251.244.103
	ctVXvVgUrO.exe	Get hash	malicious	Njrat	Browse	41.249.48.248
	j76l1AiIHm.exe	Get hash	malicious	Njrat	Browse	41.249.48.248
	QpcOa13BU1.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	z9gxPEpWws.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	7Hr9O6jK2l.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	7m7X62tiZr.elf	Get hash	malicious	Mirai	Browse	41.140.123.140

Process:	C:\Users\user\Desktop\SjMIbKjuDL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.20595142366915
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
MD5:	2452328391F7A0B3C56DDF0E6389513E
SHA1:	6FE308A325AE8BFB17DE5CAAF54432E5301987B6
SHA-256:	2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
SHA-512:	AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.20595142366915
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
MD5:	2452328391F7A0B3C56DDF0E6389513E
SHA1:	6FE308A325AE8BFB17DE5CAAF54432E5301987B6
SHA-256:	2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
SHA-512:	AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Download File

Process:	C:\Users\user\Desktop\SjMIbKjuDL.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	111168
Entropy (8bit):	5.9284213075577155
Encrypted:	false
SSDEEP:	1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBhe:w5eznsjsguGDFqGx8egoxmO3e
MD5:	8333797879EB8B484866624323C08DE3
SHA1:	25E956F7CBFCC14309ACDF4260F8E9DB620681DF
SHA-256:	78ED27EEE3C675F089ED40CDB61B77A948CF0DF847144A2BA4F9D0AB9B83870A
SHA-512:	40F5632827FA9644D61501F54647621DD0899322010783CA75A3AC007B0BD667A66E476DD88B4191A99E526EBFE963F944A3E05CED09C88105AA2CE9A3C1DA1F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...dv... ...x.................. ..`.rsrc...H............\|..............@..@.reloc..............................@..B.l2.................................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.9266803370249095
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SjMIbKjuDL.exe
File size:	111'104 bytes
MD5:	21d48723fd950d9b624103ee4dd625f8
SHA1:	c8464eb2e1c60294cc2130143802dde486cfe215
SHA256:	b28b6fb51ad601426665371ccd212a0038865c40f73b76cc1adba27da491cebf
SHA512:	cbd41075d567da7351430300c1c9c9aed45d865e3ff7cbf3da68a9d268a724dc80be90836df004618d15cd3e106d2a855fd4f8dd940adf790c43ed0d3538431f
SSDEEP:	1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBhp:w5eznsjsguGDFqGx8egoxmO3p
TLSH:	96B3FB387D952133C67EC1F689E50A8AEB69223F3191E9ED4CA742C418B2F166DC1D1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41965e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B1EAC53 [Mon Jun 11 17:07:31 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19608	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0x400	.l2
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x17664	0x17800	7acd957f3266ee65ab01391ebf758013	False	0.46648520611702127	data	5.649987526076151	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x348	0x400	2f8c2571ca02df8c52b2a03fcee90517	False	0.37109375	data	2.7512174114856074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	5219651ec1890b5711996a05a6f4ed37	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.l2	0x1e000	0x400	0x400	8821bc5ab10b630550f47d3029855e20	False	0.3720703125	data	2.7512174114856074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1e060	0x2ec	data			0.4625668449197861

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/15/24-00:32:20.305773	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49740	10000	192.168.2.4	41.248.119.194
04/15/24-00:36:04.171156	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49740	10000	192.168.2.4	41.248.119.194
04/15/24-00:36:00.040896	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49740	10000	192.168.2.4	41.248.119.194

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2024 00:32:19.877422094 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:20.217927933 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:32:20.218251944 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:20.305773020 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:21.006227970 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:21.346715927 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:32:25.725377083 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:26.283598900 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:32:27.635157108 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:32:27.640268087 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:28.381161928 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:28.722165108 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:32:44.649530888 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:32:44.649914026 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:45.396894932 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:32:45.736490011 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:02.712505102 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:02.713047981 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:03.257575989 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:12.866864920 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:13.407227039 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:15.288610935 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:15.827260017 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:20.776421070 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:20.776979923 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:21.315165043 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:22.959937096 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:23.502255917 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:23.502352953 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:24.046363115 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:25.647464037 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:26.190455914 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:26.190697908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:26.722229004 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:26.724423885 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:26.998186111 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:27.067553997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:27.067802906 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:27.340095997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:27.340246916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:27.606024027 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:27.606189966 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:27.874710083 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:27.889003992 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:27.889224052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:28.156188965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:28.156380892 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:28.215668917 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:28.215818882 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:28.428986073 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:28.429133892 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:28.560489893 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:28.560877085 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:28.901045084 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:28.901199102 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.146326065 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.420344114 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.446902037 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:29.447017908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.489757061 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:29.489891052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.721014977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.768799067 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:29.768934011 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:29.830224991 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:29.830471992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:30.081312895 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:30.081427097 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:30.178641081 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:30.178764105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:30.375000000 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:30.518518925 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:30.518656969 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:30.723563910 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:30.723735094 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:30.928268909 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:31.051491022 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:31.051717997 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:31.269572020 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:31.269726992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:31.392437935 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:31.392575026 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:31.586678982 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:31.741128922 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:31.741319895 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:31.931366920 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:31.931606054 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:32.128515005 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:32.282759905 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:32.282886982 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:32.469352007 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:32.469579935 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:32.622801065 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:32.622898102 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:32.888463020 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:32.963335991 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:32.963665009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.151644945 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.267741919 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:33.268740892 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.495563030 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.557110071 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:33.560681105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.693991899 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:33.696805954 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.909658909 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:33.957928896 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:33.960864067 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:34.083502054 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:34.083612919 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:34.292151928 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:34.435115099 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:34.435229063 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:34.436868906 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:34.634453058 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:34.634562969 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:34.841805935 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:34.842011929 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:35.040781975 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:35.240386963 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:35.240510941 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:35.405539036 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:35.405649900 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:35.606880903 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:35.831913948 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:35.832062006 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:35.973186016 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:35.973315001 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:36.214688063 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:36.376101971 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:36.376271009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:36.557339907 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:36.560822010 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:36.756906986 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:36.760720015 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:36.956649065 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:36.956790924 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:37.160947084 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:37.304702997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:37.304819107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:37.502835989 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:37.502947092 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:37.535780907 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:37.535974026 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:37.804763079 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:37.844364882 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:37.844469070 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:38.078488111 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:38.078615904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:38.261137009 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:38.262736082 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:38.475569963 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:38.479182959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:38.705035925 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:38.798309088 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:38.800770998 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:38.842660904 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:38.848781109 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.027302980 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:39.029045105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.154944897 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:39.156743050 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.190732002 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:39.192815065 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.425170898 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.508443117 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:39.508555889 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.734971046 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:39.735088110 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:39.865449905 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:39.865595102 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:40.073045969 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:40.197830915 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:40.200731039 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:40.438056946 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:40.596256971 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:40.600780964 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:40.774312019 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:40.774547100 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:40.888267994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:40.890784979 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:41.323542118 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:41.570580959 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:41.570806980 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:42.256057024 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:42.256176949 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:42.527318954 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:42.641710997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:42.641935110 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:42.881581068 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:43.109409094 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:43.332391977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:43.555252075 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:43.715540886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:43.715708017 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:44.000488997 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:44.284013987 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:44.562129021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:44.785124063 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:44.887358904 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:44.888763905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.113961935 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.310039043 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:45.358444929 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.358444929 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.519125938 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:45.519227028 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.602205038 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.602205992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.841404915 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:45.841406107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.065994978 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.065994978 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.102792978 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.102919102 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.104675055 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.104675055 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.104690075 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.277956009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.277956009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.331130028 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.332751989 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.332751989 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.335098982 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.425762892 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.426698923 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.458627939 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.461478949 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.474426031 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.474426031 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.510231018 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.511754990 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.511754990 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.537429094 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.537611961 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.537611961 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.538691044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.539266109 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.558293104 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.559241056 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.559484959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.590118885 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.591133118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.623236895 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.625027895 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.625273943 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.625273943 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.631927967 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.632874966 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.633888960 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.665683985 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.666933060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.705656052 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.705753088 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.705753088 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.707680941 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.851001024 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.854422092 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.872251034 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.873156071 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.900051117 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.901942015 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.902961016 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.915760040 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.917406082 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.917407036 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:46.965836048 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.967787027 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:46.973139048 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:47.053498983 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:47.056934118 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:47.273617983 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:47.273716927 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:47.402147055 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:47.402312994 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:47.680118084 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:47.744934082 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:47.745023966 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.000817060 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.025738955 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:48.025856018 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.285028934 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:48.288734913 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.349809885 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:48.350120068 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.584990025 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.596820116 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:48.599832058 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.692491055 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:48.692748070 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:48.927922010 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:48.932744980 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:49.033324957 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:49.034748077 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:49.297740936 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:49.375025988 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:49.375231028 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:49.695764065 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:49.695869923 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:49.990535021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.038619041 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:50.038841963 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.296576977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.331440926 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:50.331672907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.580585957 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:50.580756903 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.647218943 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:50.647358894 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.910095930 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:50.910198927 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:50.991987944 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:50.992311954 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:51.265847921 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:51.337764978 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:51.337985992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:51.587179899 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:51.605849028 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:51.605967999 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:51.887846947 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:51.887962103 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:51.946580887 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:51.946674109 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:52.222384930 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:52.226486921 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:52.286271095 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:52.288784981 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:52.528913021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:52.571311951 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:52.572846889 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:52.846498013 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:52.847246885 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:52.887183905 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:52.888849020 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:53.111387968 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:53.112765074 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:53.193829060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:53.196883917 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:53.423353910 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:53.423510075 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:53.545895100 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:53.546068907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:53.804917097 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:53.885523081 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:53.885621071 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:54.147680044 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:54.147943974 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:54.429649115 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:54.432724953 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:54.674671888 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:54.703443050 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:54.704777002 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:54.977261066 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:54.985588074 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:54.988737106 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:55.130019903 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:55.130165100 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:55.327411890 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:55.327555895 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:55.329267025 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:55.647347927 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:55.668056011 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:55.668371916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:55.959534883 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:55.989101887 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:55.989238977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:56.202069044 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:56.202249050 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:56.303520918 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:56.303656101 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:56.520776033 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:56.520905018 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:56.659288883 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:56.659527063 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:56.946712971 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:57.000051022 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:57.000276089 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:57.289438963 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:57.289726973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:57.544116974 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:57.544274092 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:57.925693035 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:57.925822020 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:58.261450052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:58.390284061 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:58.390409946 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:58.770548105 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:58.807732105 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:59.283806086 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:59.578231096 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:59.852639914 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:59.852756023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:33:59.918360949 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:33:59.918586016 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:00.247817993 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:00.259140015 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:00.263446093 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:00.549783945 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:00.592983961 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:00.593086958 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:00.805169106 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:00.808756113 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:00.890943050 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:00.895797014 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:01.136073112 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:01.136903048 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:01.235742092 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:01.235918045 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:01.481048107 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:01.481168985 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:01.665760040 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:01.777714014 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:01.777815104 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:01.968733072 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.007019043 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:02.007172108 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.117765903 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:02.117925882 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.301090956 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.308805943 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:02.462551117 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:02.462682009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.642518044 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:02.642851114 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.828819036 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:02.937784910 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:02.937884092 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:03.168661118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:03.168823004 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:03.278356075 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:03.280790091 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:03.526691914 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:03.620083094 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:03.622865915 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:03.847753048 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:03.867928028 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:03.868851900 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.164530993 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.171964884 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.206653118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.207745075 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.423559904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.430862904 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.430949926 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.508811951 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.508946896 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.748719931 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.748825073 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.765675068 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.765743017 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:04.892328024 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:04.892435074 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.111603975 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:05.111707926 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.352650881 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.441561937 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:05.441672087 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.668665886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:05.668776035 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.696571112 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:05.696664095 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.886934996 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:05.989474058 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:05.989572048 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.035062075 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:06.035180092 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.227592945 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:06.227732897 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.398881912 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:06.399022102 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.640286922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.737684011 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:06.737824917 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.989037991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:06.995549917 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:07.266860962 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:07.279964924 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:07.283513069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:07.435064077 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:07.435657978 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:07.612606049 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:07.615639925 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:07.787676096 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:07.787796974 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.066159010 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.129296064 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:08.131071091 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.407124043 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:08.407234907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.622230053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.669565916 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:08.669668913 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.946413994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:08.946541071 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.965312004 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:08.965491056 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:08.966165066 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:09.241766930 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:09.287187099 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:09.288781881 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:09.506478071 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:09.508775949 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:09.582159996 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:09.582365036 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:09.856684923 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:09.857189894 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:10.088377953 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:10.136183977 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:10.136846066 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:10.198128939 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:10.199078083 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:10.429204941 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:10.429450035 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:10.537792921 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:10.538012028 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:10.799949884 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:10.883409977 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:10.883621931 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:11.140266895 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:11.140522957 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:11.392790079 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:11.430459976 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:11.430551052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:11.680571079 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:11.680813074 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:11.734127045 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:11.734401941 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:11.971484900 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:11.971627951 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:12.073061943 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:12.073167086 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:12.314868927 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:12.424665928 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:12.424812078 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:12.656033993 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:12.656208038 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:12.909384012 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:12.968755007 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:12.968836069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.199775934 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:13.199886084 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.249535084 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:13.249660015 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.503288984 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.511548996 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:13.512756109 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.588376999 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:13.590816975 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.846210003 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:13.848773956 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:13.934053898 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:13.935770035 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:14.175892115 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:14.275857925 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:14.276000977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:14.517832994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:14.517960072 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:14.801873922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:14.818670988 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:14.818768024 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:14.979438066 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:14.979551077 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:15.144542933 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:15.144644976 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:15.320091009 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:15.320172071 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:15.659827948 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:15.659919977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:16.248747110 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:16.286751986 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:16.508765936 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:16.695856094 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:16.829561949 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:16.829770088 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:16.850667953 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:16.850869894 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.036771059 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.037010908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.236774921 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.240869045 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.240966082 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.434341908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.576688051 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.577020884 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.593626976 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.593821049 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.778036118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.778343916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.934495926 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.934581041 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:17.992060900 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:17.992130041 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.238351107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.275173903 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:18.276896000 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.476483107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.539114952 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:18.543145895 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.579191923 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:18.582789898 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.809808969 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.821428061 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:18.823306084 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:18.889939070 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:18.890178919 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.093497038 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.172175884 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:19.172979116 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.179840088 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:19.402288914 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.449942112 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:19.450067043 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.520591021 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:19.520699024 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.744033098 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:19.744174004 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:19.861303091 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:19.861411095 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.082360983 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.202233076 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:20.202395916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.410130978 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.423319101 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:20.423423052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.655841112 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.745184898 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:20.745312929 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.752235889 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:20.968401909 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:20.968632936 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:20.995261908 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:20.995446920 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:21.259977102 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:21.375204086 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:21.375427961 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:21.384768963 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:21.601914883 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:21.602022886 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:21.945724010 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:21.945982933 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:22.287269115 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:22.487019062 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:22.487339973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:22.634260893 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:22.634525061 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:22.974956036 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:22.975157022 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:23.330151081 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:23.514224052 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:23.514609098 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:23.670460939 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:23.670594931 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:24.009282112 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:24.009434938 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:24.544433117 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:24.544534922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:24.958914995 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:25.089632034 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:25.089724064 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:25.299649954 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:25.299875021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:25.623878002 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:25.627255917 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:25.837658882 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:25.840104103 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:25.967946053 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:25.968350887 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:26.313570976 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:26.321810961 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:26.655065060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:26.655396938 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:27.006030083 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:27.201706886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:27.201884031 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:27.353245974 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:27.353431940 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:27.692933083 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:27.693037987 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:28.023360968 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:28.239629984 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:28.239731073 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:28.369504929 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:28.369637012 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:28.710092068 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:28.780090094 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:28.780842066 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:29.051055908 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:29.052840948 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:29.383466959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:29.394587994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:29.747641087 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:29.759196997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:30.096832037 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:30.128845930 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:30.128959894 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:30.440557957 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:30.440671921 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:30.748900890 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:30.749010086 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:31.071516991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:31.079585075 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:31.379224062 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:31.379350901 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:31.413311958 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:31.413407087 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:31.767848015 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:31.767977953 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:32.139317989 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:32.340729952 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:32.341176033 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:32.483282089 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:32.483377934 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:32.821826935 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:32.822185040 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:33.181222916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:33.356108904 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:33.356719017 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:33.523806095 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:33.523943901 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:33.863352060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:33.863495111 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:34.210743904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:34.406222105 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:34.406493902 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:34.555608988 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:34.555871010 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:34.841579914 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:34.896617889 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:34.896728992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:35.182406902 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:35.182514906 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:35.449162960 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:35.477397919 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:35.477473974 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:35.697304964 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:35.726536989 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:35.726639986 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:35.792140007 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:35.792265892 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.004735947 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.016133070 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.016206980 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.038314104 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.038532019 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.049129009 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.049210072 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.132941008 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.133033991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.344118118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.344269991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.379297018 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.379379988 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.482566118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.482889891 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:36.727674007 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:36.727812052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:37.019679070 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:37.019933939 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:37.261913061 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:37.262022018 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:37.555244923 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:37.555356026 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:37.805141926 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:37.805313110 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:38.099899054 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:38.100008965 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:38.348861933 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:38.349001884 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:38.638847113 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:38.640820980 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:38.882818937 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:38.883868933 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:39.174881935 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:39.176881075 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:39.428766966 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:39.429018021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:39.714922905 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:39.715171099 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:39.966037989 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:39.966141939 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:40.253864050 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:40.253973007 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:40.504700899 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:40.504798889 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:40.799932003 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:40.800101995 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:41.058931112 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:41.059425116 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:41.341202021 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:41.341502905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:41.597026110 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:41.597183943 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:41.879997969 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:41.880357981 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:42.078401089 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:42.078929901 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:42.421895027 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:42.422058105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:42.768898010 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:42.960983992 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:42.961131096 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:43.110583067 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:43.110712051 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:43.451132059 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:43.452965975 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:43.839171886 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:43.995316029 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:43.995584011 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:44.179395914 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:44.181896925 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:44.522099972 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:44.522245884 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:44.857948065 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:45.059073925 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:45.059171915 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:45.088227987 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:45.088321924 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:45.197743893 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:45.197892904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:45.427025080 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:45.427535057 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:45.741539955 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:45.741667986 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:45.971060991 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:45.971153021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:46.286788940 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:46.286890984 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:46.522907019 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:46.527165890 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:46.826828003 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:46.826984882 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:47.066059113 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:47.068839073 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:47.369749069 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:47.369859934 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:47.607156992 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:47.607245922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:47.910768032 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:47.910893917 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:48.099280119 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:48.099411011 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:48.463861942 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:48.895369053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:49.431294918 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:49.436225891 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:49.436302900 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:49.634671926 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:49.770772934 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:49.770878077 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:49.976634979 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:49.976763964 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:50.122729063 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:50.122827053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:50.389537096 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:50.463438988 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:50.463560104 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:50.667315960 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:50.729554892 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:50.729677916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:50.980950117 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.037211895 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.037322044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.070199966 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.070281982 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.111999989 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.112092018 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.323338985 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.323553085 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.409977913 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.410258055 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.647121906 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.647217035 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.748778105 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:51.748884916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:51.989022970 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.088452101 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:52.088540077 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.329463959 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:52.329711914 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.538788080 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.632646084 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:52.636837006 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.862512112 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.872351885 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:52.872447968 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:52.880244017 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:52.880793095 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.090080023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.178544998 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.180896044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.202619076 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.204910994 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.220031977 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.224879026 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.435370922 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.435491085 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.544069052 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.544281960 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.768248081 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.768321991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:53.884951115 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:53.885165930 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.100629091 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.126213074 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:54.126343012 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.329822063 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.427866936 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:54.428410053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.439563990 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:54.439811945 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.670387030 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:54.671895027 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:54.671937943 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:54.791574955 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:54.791925907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.002229929 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.132325888 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:55.133405924 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.341698885 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:55.341928005 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.572789907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.678147078 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:55.678378105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.892585039 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:55.892715931 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:55.913609982 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:55.913716078 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.112301111 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.230247974 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:56.230408907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.254426003 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:56.254564047 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.452667952 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:56.452822924 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.593255997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:56.593458891 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.811952114 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:56.933031082 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:56.933156967 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:57.132143021 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:57.132246017 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:57.154748917 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:57.154836893 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:57.361978054 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:57.474090099 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:57.474293947 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:57.699785948 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:57.699959993 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:57.701632977 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:57.919826984 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.019798994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.019975901 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.232167959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.234885931 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.259830952 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.260035038 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.468364000 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.565239906 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.565395117 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.575656891 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.575778961 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.794724941 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.794816971 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.808952093 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.809041023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:58.916497946 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:58.916580915 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:59.150569916 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:59.150902987 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:59.359709978 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:59.460633039 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:59.460753918 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:59.671544075 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:59.702805996 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:59.704639912 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:34:59.704926968 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:34:59.929491997 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.001827002 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.004375935 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.012381077 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.012823105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.196677923 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.252868891 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.256617069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.269601107 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.272332907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.358222008 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.358335972 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.548599005 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.548718929 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.611644983 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.611732006 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.827341080 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:00.888324976 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:00.888480902 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.153897047 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.159279108 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.159382105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.170106888 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.170248985 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.402926922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.429316044 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.432800055 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.494051933 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.494184017 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.508840084 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.739204884 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:01.746129036 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.832964897 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:01.834866047 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.076524973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.093962908 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:02.094727039 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.369259119 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.375989914 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:02.376070023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.417648077 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:02.417737007 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.634916067 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:02.635016918 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.708620071 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:02.708734035 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:02.758424997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:02.758579016 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.037592888 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.048309088 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:03.048484087 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.296557903 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:03.296717882 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.377294064 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:03.380857944 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.585434914 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:03.587820053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.722044945 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:03.722894907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:03.980895042 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.068536043 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:04.069034100 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.293222904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.322726965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:04.322818041 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.608835936 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:04.608920097 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.639482975 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:04.639686108 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.829556942 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.859757900 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:04.859847069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:04.979278088 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:04.979528904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:05.174587965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:05.174696922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:05.320214033 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:05.320389032 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:05.660751104 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:05.661043882 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:06.197899103 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:06.365494013 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:06.606451988 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:06.801009893 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:06.909320116 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:06.909435987 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:06.948127031 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:06.948357105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:07.144685030 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:07.144948006 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:07.288852930 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:07.288983107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:07.530414104 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:07.632386923 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:07.632496119 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:07.839174032 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:07.871686935 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:07.871808052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:08.164737940 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:08.164920092 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:08.179418087 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:08.179501057 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:08.404943943 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:08.405034065 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:08.518178940 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:08.518312931 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:08.785917997 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:08.858263016 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:08.858462095 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.096081972 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.130182028 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:09.130306959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.399238110 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:09.399332047 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.435930967 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:09.436038971 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.658240080 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.668967009 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:09.669096947 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.779867887 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:09.780107021 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:09.997980118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:09.998128891 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:10.122620106 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:10.122751951 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:10.355871916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:10.463785887 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:10.463917971 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:10.697125912 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:10.697273016 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:10.932687044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:11.022100925 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:11.022193909 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:11.237410069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:11.273231030 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:11.273417950 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:11.384026051 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:11.384294033 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:11.582050085 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:11.582330942 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:11.728616953 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:11.728748083 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:12.015712976 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:12.069365025 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:12.069528103 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:12.356518030 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:12.356739044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:12.609477997 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:12.609652042 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:12.899645090 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:12.900124073 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:13.150532007 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:13.150656939 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:13.441081047 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:13.449297905 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:13.685225010 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:13.685348034 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:13.782054901 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:13.782180071 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:14.086308956 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:14.121330023 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:14.121742964 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:14.426883936 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:14.427191019 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:14.652848959 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:14.653017044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:14.963660002 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:14.963778973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:15.190056086 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:15.190500975 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:15.506851912 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:15.507003069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:15.726972103 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:15.727144957 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:16.001730919 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:16.043975115 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:16.044457912 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:16.273740053 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:16.273936987 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:16.344595909 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:16.344718933 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:16.593914986 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:16.594106913 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:16.688447952 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:16.688590050 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:17.012296915 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:17.029431105 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:17.029649973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:17.352874041 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:17.352984905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:17.568351030 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:17.568547964 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:17.887706041 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:17.899945021 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:17.900094986 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:18.110194921 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:18.110341072 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:18.228780985 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:18.228931904 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:18.439894915 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:18.440031052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:18.569785118 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:18.569931030 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:18.882313013 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:18.913129091 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:18.913266897 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:19.215918064 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:19.223057985 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:19.223212004 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:19.453315020 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:19.453927040 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:19.556936026 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:19.557219028 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:19.762128115 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:19.762325048 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:19.903649092 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:19.903764009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:20.242434978 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:20.242739916 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:20.584481001 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:20.786567926 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:20.786725044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:20.930772066 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:20.931016922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:21.219930887 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:21.220315933 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:21.465061903 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:21.465361118 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:21.762840033 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:21.762984991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:22.009056091 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:22.009243965 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:22.302104950 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:22.302517891 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:22.556982994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:22.557148933 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:22.838085890 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:22.838198900 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:23.146646976 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:23.146749973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:23.382091999 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:23.382292032 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:23.689753056 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:23.689874887 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:23.916941881 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:23.920587063 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:24.207927942 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:24.227581978 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:24.228882074 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:24.458040953 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:24.458494902 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:24.547610998 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:24.548156023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:24.767604113 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:24.767733097 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:24.889362097 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:24.889621973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:25.228308916 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:25.228517056 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:25.707138062 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:25.767155886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:25.767362118 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:26.053333044 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:26.053601027 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:26.306482077 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:26.307028055 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:26.602895975 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:26.603121996 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:26.872972965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:26.873209000 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:27.152797937 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:27.153044939 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:27.245402098 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:27.245618105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:27.584791899 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:27.584995985 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:27.909008980 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:28.132584095 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:28.132685900 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:28.248924017 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:28.249229908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:28.589844942 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:28.590019941 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:28.928396940 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:29.131197929 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:29.131455898 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:29.270319939 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:29.270428896 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:29.604382992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:29.611414909 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:29.940083027 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:29.944855928 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:30.252937078 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:30.253194094 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:30.283807993 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:30.284212112 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:30.623534918 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:30.623651028 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:31.002175093 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:31.161674976 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:31.161780119 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:31.345099926 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:31.345226049 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:31.681456089 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:31.685590029 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:32.023305893 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:32.024302959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:32.371612072 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:32.572365046 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:32.572827101 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:32.712698936 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:32.712838888 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:33.052618027 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:33.052748919 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:33.264086962 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:33.264322996 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:33.590764046 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:33.590898037 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:33.799796104 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:33.800017118 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:34.128678083 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:34.131339073 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:34.339888096 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:34.340008974 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:34.469681978 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:34.471659899 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:34.812504053 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:34.814763069 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:35.159137011 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:35.162955999 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:35.497292042 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:35.701102972 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:35.701292992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:35.837630987 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:35.837873936 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:36.183317900 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:36.183450937 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:36.280884027 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:36.281044006 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:36.620384932 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:36.620517969 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:37.160473108 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:37.160795927 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:37.699875116 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:37.700015068 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:38.242727995 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:38.542810917 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:38.829673052 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:39.082521915 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:39.082735062 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:39.170316935 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:39.170439005 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:39.283921957 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:39.284138918 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:39.510158062 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:39.510296106 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:39.757229090 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:39.832045078 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:39.832170963 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.052958965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:40.053219080 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.097904921 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:40.098016977 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.347687960 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.383944988 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:40.384025097 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.438776016 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:40.440875053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.683185101 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.689732075 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:40.692866087 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:40.792601109 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:40.795732975 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.002923965 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.029570103 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:41.031404018 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.136063099 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:41.139189005 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.342400074 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:41.342964888 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.483110905 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:41.483215094 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.717358112 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:41.822715044 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:41.822962046 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.046051025 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.057467937 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:42.057555914 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.357687950 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:42.357815027 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.392370939 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:42.392467022 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.599930048 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:42.603240967 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.735157013 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:42.735306978 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:42.956078053 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:43.077229023 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:43.080168962 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:43.299135923 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:43.299320936 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:43.528763056 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:43.617794991 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:43.617921114 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:43.827991009 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:43.838120937 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:43.872832060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:43.872984886 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.136949062 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.158843040 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:44.158916950 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.174880981 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:44.174969912 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.407874107 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:44.407951117 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.480556965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:44.480665922 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.515645981 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:44.515770912 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.773888111 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:44.819418907 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:44.819557905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.061717033 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:45.061836958 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.114239931 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:45.114413023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.339314938 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.362096071 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:45.362293959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.457829952 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:45.458005905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.706110001 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:45.706295013 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:45.813827991 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:45.814021111 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:46.105084896 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:46.156579018 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:46.156704903 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:46.448610067 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:46.448932886 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:46.698529959 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:46.699120045 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:46.988538980 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:46.989367008 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:47.241712093 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:47.245296001 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:47.529488087 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:47.529618979 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:47.789522886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:47.789791107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:48.068722010 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:48.068856001 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:48.328829050 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:48.329063892 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:48.608598948 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:48.608707905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:48.869998932 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:48.870251894 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.149775028 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:49.149966002 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.409023046 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:49.409147024 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.653342962 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.694608927 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:49.694946051 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.893991947 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.963640928 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:49.963762045 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:49.994307995 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:49.994609118 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:50.233944893 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:50.233949900 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:50.234013081 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:50.333241940 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:50.334805012 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:50.575442076 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:50.575576067 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:50.868232965 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:50.883971930 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:50.884131908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:51.127475977 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:51.127594948 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:51.213197947 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:51.213457108 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:51.439254045 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:51.439395905 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:51.553797960 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:51.555269957 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:51.759093046 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:51.897876978 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:51.898930073 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.093856096 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.106829882 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:52.111193895 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.334605932 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.434659958 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:52.435163975 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.451503992 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:52.454258919 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.678626060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:52.678744078 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:52.795587063 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:52.795726061 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.038140059 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.136089087 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:53.136326075 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.335870981 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.382464886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:53.382695913 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.594734907 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.676409960 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:53.676954031 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.721927881 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:53.723628044 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:53.935962915 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:53.936934948 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:54.069514990 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:54.069650888 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:54.289509058 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:54.410172939 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:54.410315990 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:54.629501104 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:54.629648924 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:54.849595070 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:54.954415083 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:54.954571962 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.152611017 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.174911022 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:55.175050974 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.202828884 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:55.202941895 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.403367043 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.499484062 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:55.499664068 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.514204979 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:55.514391899 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.690284967 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.743556023 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:55.743777990 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:55.841887951 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:55.841984034 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.029422998 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:56.029653072 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.084208965 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:56.084302902 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.261368036 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.375094891 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:56.375205040 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.548331976 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.601356983 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:56.602981091 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.715814114 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:56.719027042 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.884660959 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:56.888098001 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.059562922 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.063369036 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:57.225830078 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:57.225999117 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.229001999 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:57.342331886 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.342529058 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:57.565534115 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.565665960 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:57.567456961 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.794186115 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:57.879992008 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:57.880213022 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.095206976 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.110542059 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.110656023 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.134896994 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.135010004 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.343672991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.429349899 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.429481983 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.436398983 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.436499119 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.476553917 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.476819992 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.685590029 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.685744047 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:58.775058031 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:58.775149107 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.017457008 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:59.017652988 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.120976925 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:59.121087074 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.397651911 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.459788084 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:59.459924936 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.693032026 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.739696980 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:59.740917921 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:35:59.995541096 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:35:59.996264935 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.036823988 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.040895939 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.223007917 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.275964022 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.276896000 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.335475922 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.336905956 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.563884974 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.564002991 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.617465019 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.617613077 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.873447895 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:00.876799107 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.958321095 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:00.958442926 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:01.215162992 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:01.215250015 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:01.545304060 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:01.545412064 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:01.756418943 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:01.758910894 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:01.948738098 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.076561928 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:02.076684952 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.267628908 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.289531946 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:02.293037891 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.417083025 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:02.418979883 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.610332012 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:02.610431910 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.758147001 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:02.758332968 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:02.927768946 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.099631071 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:03.099747896 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.267995119 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:03.268167973 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.372886896 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:03.373008966 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.570080996 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.608776093 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:03.608901024 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.826659918 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.911017895 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:03.912046909 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:03.950638056 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:03.950920105 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:04.166826963 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:04.171155930 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:04.296237946 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:04.711811066 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:06.379605055 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:06.428426027 CEST	49740	10000	192.168.2.4	41.248.119.194
Apr 15, 2024 00:36:06.854738951 CEST	10000	49740	41.248.119.194	192.168.2.4
Apr 15, 2024 00:36:06.897175074 CEST	49740	10000	192.168.2.4	41.248.119.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2024 00:32:19.684657097 CEST	58451	53	192.168.2.4	1.1.1.1
Apr 15, 2024 00:32:19.875444889 CEST	53	58451	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 15, 2024 00:32:19.684657097 CEST	192.168.2.4	1.1.1.1	0x71a6	Standard query (0)	doddyfire.linkpc.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 15, 2024 00:32:19.875444889 CEST	1.1.1.1	192.168.2.4	0x71a6	No error (0)	doddyfire.linkpc.net		41.248.119.194	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:31:55
Start date:	15/04/2024
Path:	C:\Users\user\Desktop\SjMIbKjuDL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SjMIbKjuDL.exe"
Imagebase:	0xa0000
File size:	111'104 bytes
MD5 hash:	21D48723FD950D9B624103EE4DD625F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:32:05
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0xea0000
File size:	111'168 bytes
MD5 hash:	8333797879EB8B484866624323C08DE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.1791120819.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:32:08
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0xd10000
File size:	111'168 bytes
MD5 hash:	8333797879EB8B484866624323C08DE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.4134329459.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:32:11
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0x8d0000
File size:	111'168 bytes
MD5 hash:	8333797879EB8B484866624323C08DE3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:32:15
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0xe20000
File size:	111'168 bytes
MD5 hash:	8333797879EB8B484866624323C08DE3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000002.1907772846.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:32:15
Start date:	15/04/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:32:15
Start date:	15/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ec4b0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:32:20
Start date:	15/04/2024
Path:	C:\Users\user\Desktop\SjMIbKjuDL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SjMIbKjuDL.exe"
Imagebase:	0x620000
File size:	111'104 bytes
MD5 hash:	21D48723FD950D9B624103EE4DD625F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:32:30
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0xaf0000
File size:	111'168 bytes
MD5 hash:	8333797879EB8B484866624323C08DE3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000002.2045369556.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:32:33
Start date:	15/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0x9c0000
File size:	111'168 bytes
MD5 hash:	8333797879EB8B484866624323C08DE3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:32:38
Start date:	15/04/2024
Path:	C:\Users\user\Desktop\SjMIbKjuDL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SjMIbKjuDL.exe"
Imagebase:	0x180000
File size:	111'104 bytes
MD5 hash:	21D48723FD950D9B624103EE4DD625F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	3

Executed Functions

Function 00D500D0 Relevance: 9.1, Instructions: 9145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb589419fe25ba85df21f219cf6fb3d90cb39369aaa0abee37355cf547a1e282
Instruction ID: b5d66a21a233bd0b318beb42f3f6990a7e01fff06cc176177cf7daa800ec9100
Opcode Fuzzy Hash: fb589419fe25ba85df21f219cf6fb3d90cb39369aaa0abee37355cf547a1e282
Instruction Fuzzy Hash: 0B143834601704DFDB65DB30C854A9AB3B2FF89304F6188A9D55A6B3A0DF35AE86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00D500E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bdb3080eff23f5207adb4941b87e7e26ed3821d0554316cadc3b0affff3952
Instruction ID: fbe820502bbac571c4f0456d6c011ada1c9b6ff4b9f0e859ae502fec4e67525c
Opcode Fuzzy Hash: b6bdb3080eff23f5207adb4941b87e7e26ed3821d0554316cadc3b0affff3952
Instruction Fuzzy Hash: 0E143834601704DFDB65DB30C854A9AB3B2FF89304F6188A9D55A6B3A0DF35AE86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00D598A0 Relevance: 2.7, Instructions: 2696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23931eb2cc1c3406016f229f6e349718b3624681cbf2bd0c6813dd2f0500c854
Instruction ID: ae0d2be3f5228dc635fbee9df65d627282b89d689bda0c5e7f5fcb815b086ef0
Opcode Fuzzy Hash: 23931eb2cc1c3406016f229f6e349718b3624681cbf2bd0c6813dd2f0500c854
Instruction Fuzzy Hash: 1933A6343249108B8705BB21D554D9E7BB6B7C865C3288385DA1257B88DF3EEF4B8BC9

Uniqueness

Uniqueness Score: -1.00%

Function 0069AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0069ACD1

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9353bf621ce6dfe4127b889015d806a1f2147adb20f5d240cb2ef1bb3cfe3ba2
Instruction ID: a9443c96af1437a0b831ebf362339947957392c2eec4c33559d44c992d6aaa8f
Opcode Fuzzy Hash: 9353bf621ce6dfe4127b889015d806a1f2147adb20f5d240cb2ef1bb3cfe3ba2
Instruction Fuzzy Hash: 8131C471508380AFE7228B51CC45FA7BFFCEF06310F08849AE9848B652D264E94DCBB1

Uniqueness

Uniqueness Score: -1.00%

Function 049B0B60 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 049B0C05

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d30328f194673adda72c7830a34c65305aaa3aed22075045856dba620497bd1
Instruction ID: 812ce249470fe90d89fb49be263dbd226d63959050b8439b1d9e48e58481cd4f
Opcode Fuzzy Hash: 1d30328f194673adda72c7830a34c65305aaa3aed22075045856dba620497bd1
Instruction Fuzzy Hash: 8B31B0715053406FE722CF65CD44FA6BFE8EF05224F0884AEE9858B652D365E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0069AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 0069ADD4

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 29c287b3b34000683923268d403ada4898221d7575b7dd9532407b7ae91dec84
Instruction ID: 75f5c80b106b56d23f856370681d8a5e6d72b74c7a1c78cc3f99fa57f439e284
Opcode Fuzzy Hash: 29c287b3b34000683923268d403ada4898221d7575b7dd9532407b7ae91dec84
Instruction Fuzzy Hash: 3031AF725093805FDB22CB61CC44FA2BFFCEF06310F08849AE9458B652D360E94CCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049B0F83 Relevance: 1.6, APIs: 1, Instructions: 81
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 049B1030

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2397ca44c6036adf3002f24df0d6505f6fe60e627b40e7bc03282920d02e6adf
Instruction ID: 6acda4e416a4f622d618a246b7697ec4d3d1c2b259d8a7f597e49c325240bcac
Opcode Fuzzy Hash: 2397ca44c6036adf3002f24df0d6505f6fe60e627b40e7bc03282920d02e6adf
Instruction Fuzzy Hash: 4A21C1B15087806FE7228B15DC45BA3BFB8AF06314F08849AE9848B693D324E908C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0069A2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0069A346

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 88c1edfda2522a785d433721f062ac83492d6b26006212e886c8458a6ac4b769
Instruction ID: 2637b518a0ea2f61b4d146cafa075705f265dbfa83f5c5ced9bf739d24c8671b
Opcode Fuzzy Hash: 88c1edfda2522a785d433721f062ac83492d6b26006212e886c8458a6ac4b769
Instruction Fuzzy Hash: AF21F57150D3C06FD3138B258C51B62BFB8EF87620F0941CBE884CB693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 049B0B86 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 049B0C05

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 53a5acb191350810a587c2e18594f5ea8fd0f58ec9e5557f55ff0edc333f33b6
Instruction ID: 6f4bd2092b221f876f1e5cfa09629db9270f3bf8e69a8951984c9465aaa8ca4b
Opcode Fuzzy Hash: 53a5acb191350810a587c2e18594f5ea8fd0f58ec9e5557f55ff0edc333f33b6
Instruction Fuzzy Hash: 02219271604200AFEB21CF65CD45BA7FBE8EF04714F088869E9858B651D375F548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0069AC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0069ACD1

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3e2adb8b87f03f91194141415c2b031b77fa6a90bc1b798e763353b7a96d4b09
Instruction ID: 749401f7f4575e48797b4e300a448fd9e65e9c5f4242d34e60814530364f0539
Opcode Fuzzy Hash: 3e2adb8b87f03f91194141415c2b031b77fa6a90bc1b798e763353b7a96d4b09
Instruction Fuzzy Hash: 6B21CD72504204AFEB209F91DD85FABFBECEF14324F14845AE9458BA51D324E94C8AB2

Uniqueness

Uniqueness Score: -1.00%

Function 049B0D17 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 049B0D9D

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0ebc099d0d1c21fa0e8035a64ce0bddace44330ff3a6e93d14e7cd8d1a6ac7fd
Instruction ID: 5b29880b4c334cf80fbd7fb087bff2aecdb6b20ae94be96de11b411b74914193
Opcode Fuzzy Hash: 0ebc099d0d1c21fa0e8035a64ce0bddace44330ff3a6e93d14e7cd8d1a6ac7fd
Instruction Fuzzy Hash: E121D5B54093806FE7128B55DC41BE2BFBCEF47724F0880DAE9848B693D264A90DC7B1

Uniqueness

Uniqueness Score: -1.00%

Function 049B0431 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 049B04B3

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 49a7213346c73cb4c7cf0a4180c60942deb1f6f2e871e4a8095016a62fdadbbc
Instruction ID: 9d8573651ab30538578e7f7a459fea0d9216e1405190826fa9f6683360ada534
Opcode Fuzzy Hash: 49a7213346c73cb4c7cf0a4180c60942deb1f6f2e871e4a8095016a62fdadbbc
Instruction Fuzzy Hash: 242192716087809FDB22CF65DD45B62BFF8EF06310F0884AAE9858F563D275E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049B0EBA Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 049B0F39

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2a960b027a45b2e7c95f87e13654b30225f819d2c42b3bfac22ca182b0957c0e
Instruction ID: 677270af0998ba1423bc9368f7421aba26ac957697a0014efee08bbe1ffc3be5
Opcode Fuzzy Hash: 2a960b027a45b2e7c95f87e13654b30225f819d2c42b3bfac22ca182b0957c0e
Instruction Fuzzy Hash: 9F219F71509380AFDB22CF51DD44FA7FFB8EF45620F08849AE9849B552D364A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0069AD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 0069ADD4

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c507a99809d8e3e063d785a194d5ecc9acfff2a4c4c189ae872618d2116b7c20
Instruction ID: e46ff62e1bf8d6bcb215ba9a1fe536e77107bd64f1c83d6e75fb92b8e4d13a22
Opcode Fuzzy Hash: c507a99809d8e3e063d785a194d5ecc9acfff2a4c4c189ae872618d2116b7c20
Instruction Fuzzy Hash: B421AE75604200AFEB21CE55CC80FA6F7ECEF04710F08845AE9058BB51D760E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0069BAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 0069BB2C

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c7f05e6c53bc2f7e9b42173d66cf9f41a29e365588bac37f714e721d6fcc9d61
Instruction ID: 8fd762881c7f6c8f42f6a9ebaec34743b09a5a9de82ec0e9b0006df896527b3e
Opcode Fuzzy Hash: c7f05e6c53bc2f7e9b42173d66cf9f41a29e365588bac37f714e721d6fcc9d61
Instruction Fuzzy Hash: 30215E715093C05FDB128B25DD95792BFB8EF07314F0D84DAED848F6A7D2649908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0069B42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0069B4A9

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 921272c7d676bf73240411d3207b04208f130cac096e78cc75dc83e44ba74fb1
Instruction ID: 62a118444529092d62b762e6d682205737a08a8a0ef78aaba6ae1381189886bd
Opcode Fuzzy Hash: 921272c7d676bf73240411d3207b04208f130cac096e78cc75dc83e44ba74fb1
Instruction Fuzzy Hash: 502190B15093805FDB228E15ED45B62BFF8EF46714F08809AED84CB693D365E908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 049B0FBE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 049B1030

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e858d6937b2c4583f01f973ff2053b76644660dcfd8b78f9fd6ea7c38107d7c5
Instruction ID: 5d572c2c18ee2bb781136eebf33005f9bff107d64606b4a9e4763d9a5e31af0e
Opcode Fuzzy Hash: e858d6937b2c4583f01f973ff2053b76644660dcfd8b78f9fd6ea7c38107d7c5
Instruction Fuzzy Hash: 0B11D372600640AFE7208F11DD41FA7F7ECEF04750F08846AED458B652D774F5488AB1

Uniqueness

Uniqueness Score: -1.00%

Function 049B1078 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 049B10E3

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d77dd1258c49fc8d3435669513f541caecc90e748328d619d035b5f3106bffb2
Instruction ID: 87d5e1eb02856a741ff2513f1b9c7cc1e649a2e64573fd0e254618642f93b864
Opcode Fuzzy Hash: d77dd1258c49fc8d3435669513f541caecc90e748328d619d035b5f3106bffb2
Instruction Fuzzy Hash: 3F21C0716083C09FDB118F25DC55BA2BFA8EF46220F0884EAED84CB262D235E905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0069BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0069BCBF

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 84217ef145c3212136e81552c1093013ac14c5275b6c736572cd76999f4d3a64
Instruction ID: b1a5d319781817aa1d093a18fa7a93e189c09c4bea8e42f21e3b937ac1267519
Opcode Fuzzy Hash: 84217ef145c3212136e81552c1093013ac14c5275b6c736572cd76999f4d3a64
Instruction Fuzzy Hash: 4E2190B19093809FDB12CF25DC45B52BFB8EF46310F0984DAED848F263E274A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049B0AA4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 049B0B0B

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a600d9bcf88cd0310b8d141d9a4bf1f0c00f0509af2b5a6bb222f7b3d5298556
Instruction ID: 68d7aa4d4a1b5d1cf4a0d63a94986165713f105f0c83e6301e301bf53c83c49a
Opcode Fuzzy Hash: a600d9bcf88cd0310b8d141d9a4bf1f0c00f0509af2b5a6bb222f7b3d5298556
Instruction Fuzzy Hash: AD1172716043809FDB11CF65DD85B97BFE8EF46310F0884AAED85CB652D274E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049B1325 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049B1399

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4dfef9d27d1855676b79712c4d349966aeb0de22c8ec24d3e627a687de505161
Instruction ID: 16ad302f1eb9c6f0e75ca09e24700752ad29e551e1b22bc8041829259d7f09e9
Opcode Fuzzy Hash: 4dfef9d27d1855676b79712c4d349966aeb0de22c8ec24d3e627a687de505161
Instruction Fuzzy Hash: 63219D715093C09FDB238F25DC45A92BFB4EF07210F0985DAE9C48F563D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0069A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0069A666

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af79891c873fc650dca17c210ddeb94dcd66a334407eadb852c10671507cea0a
Instruction ID: 4d1596cbb435418512d3ffe70d25269f739f1c50ae18b2735592dd3bdffe0b74
Opcode Fuzzy Hash: af79891c873fc650dca17c210ddeb94dcd66a334407eadb852c10671507cea0a
Instruction Fuzzy Hash: E6110671408380AFDB228F50DC44B62FFF8EF4A310F0888DAED848B562D235A918DB71

Uniqueness

Uniqueness Score: -1.00%

Function 049B0007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 049B0082

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: d9547485d87462e80adc4b5c3b181cef0d2521f79c92a2285ab4e9d92fecde00
Instruction ID: 07f1a731d0bc22d32ebdf08ae288638fef42e1ebc44cf79e53ee1b6428c1d3df
Opcode Fuzzy Hash: d9547485d87462e80adc4b5c3b181cef0d2521f79c92a2285ab4e9d92fecde00
Instruction Fuzzy Hash: 0E11E6B15093806FC311CB25CC45F26FFB8EF86620F08819FE844CB693D225B919CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 049B0EDA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 049B0F39

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5f8faf56e0d67b112cbf2961bbfd665946a3e5afb8d3f4157e91d3fd279d5c29
Instruction ID: d6b464fad7dec523bd113869a5da78deddbe0af6191682709d3f18b89f356bfd
Opcode Fuzzy Hash: 5f8faf56e0d67b112cbf2961bbfd665946a3e5afb8d3f4157e91d3fd279d5c29
Instruction Fuzzy Hash: 4711C471604200AFEB21CF51DD44FA7FBE8EF44724F04C46AE9458B651D374A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 049B11E4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 049B1240

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 318725aa64c28b5a9bc78c2eebd75e44130ca7274902b71d1f590853852832bf
Instruction ID: f1817ec74db4bbd3d939690ef0fbdea2eca4cab3b99a7c41b931b7e77e352bba
Opcode Fuzzy Hash: 318725aa64c28b5a9bc78c2eebd75e44130ca7274902b71d1f590853852832bf
Instruction Fuzzy Hash: 5E11D3715083809FDB11CF25DC55B52BFB89F06220F0880EBED84CB652D264E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0069BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0069BD75

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 82ede1f4000a2a76fbb6bc0af29212498006324f9dcffaaf93ccf610b5f81fe9
Instruction ID: bafed43d30be8a3ef9692a13154cc0f5cafd80bdc26adb384916e289ada068c0
Opcode Fuzzy Hash: 82ede1f4000a2a76fbb6bc0af29212498006324f9dcffaaf93ccf610b5f81fe9
Instruction Fuzzy Hash: 141194B1504380AFDB218F15DC45B66FFF8EF56724F08809EED858B662D261E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049B16B7 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049B1721

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7a7ed6f09f74e0ebae4cd1331b6801b2d48a999005cadb7244a5751f763d7e6
Instruction ID: e9fc1aaa722c785cbf995ebd84d1f9dddb2e0578591a67f5522ffe9f66045032
Opcode Fuzzy Hash: c7a7ed6f09f74e0ebae4cd1331b6801b2d48a999005cadb7244a5751f763d7e6
Instruction Fuzzy Hash: 0B11E271548380AFDB228F15DC45B52FFB4EF46320F0884EEED858B563C275A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049B0D4A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,0A771243,00000000,00000000,00000000,00000000), ref: 049B0D9D

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 97b37a466ad84f87bef32ea86d654d854fecc5f456e3611dc5ca31fedd76270c
Instruction ID: 2b120ea5966f89e8d017b4f9bad93d2078711017dbf6c1b2965928eb4ccd7eb2
Opcode Fuzzy Hash: 97b37a466ad84f87bef32ea86d654d854fecc5f456e3611dc5ca31fedd76270c
Instruction Fuzzy Hash: 1B010471504300AEE7208F45DD85BE6F7ACDF45724F08C0A6ED448B691D374F9488AA1

Uniqueness

Uniqueness Score: -1.00%

Function 049B0AC6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 049B0B0B

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f2c25828ef4febb64f1c411acf3855c976bf0a0b43da243521cabf1e1b82af5c
Instruction ID: e541a1867cc58b3fe012a47e43aef3ee7cf139574e2f630a5108ea522276a848
Opcode Fuzzy Hash: f2c25828ef4febb64f1c411acf3855c976bf0a0b43da243521cabf1e1b82af5c
Instruction Fuzzy Hash: CF115E71A042408FDB50CF59D985BA7FBD8EF05724F08C4BADD49CB651E674E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049B0462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 049B04B3

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dcf36fa02dc46f571cf0107a31d10dcaf721383add067c40dfd36262b0d62851
Instruction ID: 23d48f84d929171ea0c5b9bdf779367cc7bb858ca43f7da5f2d127bf921519be
Opcode Fuzzy Hash: dcf36fa02dc46f571cf0107a31d10dcaf721383add067c40dfd36262b0d62851
Instruction Fuzzy Hash: 5C1170716003049FDB20CF55D985BA7FBE9FF04720F08886ADD858B652E375E408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0069A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0069A480

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c55f8dfa53d156989ecd95e4ced65c51526c6f85ac14b39ae4e1d429a4dc3bd4
Instruction ID: bc272f1b2433527f9006315a495cd5a927155db1d67ce76d0acffd2850ad739d
Opcode Fuzzy Hash: c55f8dfa53d156989ecd95e4ced65c51526c6f85ac14b39ae4e1d429a4dc3bd4
Instruction Fuzzy Hash: 78018475508384AFDB128B15DC44B62FFF8EF46720F0880DAED854B652D275A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 049B10A6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 049B10E3

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c57f1179cf75a1419e4b23e16c6a86f95b144f48598cd908fd899c39e70db9a9
Instruction ID: 62f831b3004c72ba2016e5bb2e62f6679585d567c10982fa4184684308cb38cb
Opcode Fuzzy Hash: c57f1179cf75a1419e4b23e16c6a86f95b144f48598cd908fd899c39e70db9a9
Instruction Fuzzy Hash: 2601B571A002409FEB10CF56D9867A6FBD8EF05360F08C4BADD45CB756E274E508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049B1206 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 049B1240

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: db545503ff71f1d5957f755c928c0afe946977137359e0a501aae879f0f60131
Instruction ID: d071246825e742ec1584e7e5943c1384eda04aa21c398954b8ee949150247d75
Opcode Fuzzy Hash: db545503ff71f1d5957f755c928c0afe946977137359e0a501aae879f0f60131
Instruction Fuzzy Hash: E1019271A042008FDB50CF55D9867A6FBD8EF05360F08C4BADD49CB655E374E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0069B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0069B4A9

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1e98aa5059baa62fdba359a4f5a4399d00ab03b411d1bc7c18d8befe24ae2a8f
Instruction ID: da2e5b180b5f97761dcd57330dc66eac1c879daab55da535f67ce456acdeacff
Opcode Fuzzy Hash: 1e98aa5059baa62fdba359a4f5a4399d00ab03b411d1bc7c18d8befe24ae2a8f
Instruction Fuzzy Hash: E50140756002009FDF60CE19E945B66FBE8EF14B20F088499DD498BB56D375E809DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0069BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0069BD75

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 4bc51633d2ec4928d23c1cf19b53322d3b82ef4e201b53a23f091fb48178c516
Instruction ID: be6349ccf6f57a2a29049f22c3f91f3cec3d884f9c6903a55987b95180c925b3
Opcode Fuzzy Hash: 4bc51633d2ec4928d23c1cf19b53322d3b82ef4e201b53a23f091fb48178c516
Instruction Fuzzy Hash: 00019271A00600CFDB608F16E945B56FBE8EF14720F08C05ADD458BB61D371E818CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0069A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0069A666

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dccc67e1fecf596ec65ec1928ffaa15b8ec14d9075c382cf4aca90b954858d18
Instruction ID: 28bc74fc26bf2b97a6f823a8af0ade92f52c19d284859e6db527220d569a2640
Opcode Fuzzy Hash: dccc67e1fecf596ec65ec1928ffaa15b8ec14d9075c382cf4aca90b954858d18
Instruction Fuzzy Hash: C201AD32900600DFDF218F95D944B66FBE5EF48320F08C8AADE498AA11D375E518DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0069BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0069BCBF

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 2b4ccd62096f7d1461fa0909b105454edfbcc086be30d6a8222da76d7a1b1a7d
Instruction ID: a3d7e819e8999356a206cc65bb7d81d79b0dc8d30bec2fd0c871ab503d5c5c69
Opcode Fuzzy Hash: 2b4ccd62096f7d1461fa0909b105454edfbcc086be30d6a8222da76d7a1b1a7d
Instruction Fuzzy Hash: CE019E71A00200CFEB10CF55E985766FBE8EF14320F0884AADD488B752D775E904CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0069BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 0069BB2C

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 82ac8e11d98c6153b898dd914489840abf62d1ec210a0b7a105b655485f1c473
Instruction ID: 4689375a25aaeb0a30764577a0ff762871d1dbc39ac75f17443dd9d59f58c74b
Opcode Fuzzy Hash: 82ac8e11d98c6153b898dd914489840abf62d1ec210a0b7a105b655485f1c473
Instruction Fuzzy Hash: D3017171A042408FDB50CF55E9857A6FBD8EF14720F08C4AADD49CB79AD774E904CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0069A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0069A346

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0935fb7e4cf3fc70e2fcc7f28e7e5fe12da93a9d503658430b174f5872939583
Instruction ID: 8270922d6e0773d421269c740f431d0fedf36296b1a6a9ed6ce77e8d67d08e7e
Opcode Fuzzy Hash: 0935fb7e4cf3fc70e2fcc7f28e7e5fe12da93a9d503658430b174f5872939583
Instruction Fuzzy Hash: 4F01A271A00200ABD310DF1ACD46B66FBE8FB88A20F148159ED089BB41D771F959CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 049B0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 049B0082

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: ef6564fe3b4b0817180e895e57c326161d7977b188455a1257d903760137e337
Instruction ID: b37cb6d3e8b06904d29c1054a859dcde1f7e04dd4b4547b0b446e49002af16e2
Opcode Fuzzy Hash: ef6564fe3b4b0817180e895e57c326161d7977b188455a1257d903760137e337
Instruction Fuzzy Hash: 0A01A271A00200ABD310DF1ACD46B66FBE8FB88B20F14811AED089BB41D771F959CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 049B16E6 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049B1721

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aa7cd63b37e5c5fd8b0add86638dba084864e352e8d4b52e05210a2f2e1af312
Instruction ID: 997046a60e28b13dceeffcd19de483b8814d134224c3c6e7758a9ed32a1db272
Opcode Fuzzy Hash: aa7cd63b37e5c5fd8b0add86638dba084864e352e8d4b52e05210a2f2e1af312
Instruction Fuzzy Hash: 4F01B135600200CFDB208F55D985BA6FBE4EF54220F08C4AEDD454B661D371E418DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049B135E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049B1399

Memory Dump Source

Source File: 00000000.00000002.1757275823.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49b0000_SjMIbKjuDL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ad4703cbe407e0d72213514a5e8fc314969050518d2490f3f59c1f86a5ae1a8d
Instruction ID: 7f95c1b92b4ec6008a4695b516850c89b8bebeeb6141172f0d3da1e34f965b19
Opcode Fuzzy Hash: ad4703cbe407e0d72213514a5e8fc314969050518d2490f3f59c1f86a5ae1a8d
Instruction Fuzzy Hash: 2B01DF31A00300CFDB208F45D945B66FBE4EF14320F08C4AADD850BA22E371E418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0069A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0069A480

Memory Dump Source

Source File: 00000000.00000002.1755249007.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69a000_SjMIbKjuDL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 075859c4af882d8f75491bf28d11f43a0df1f6702de8e14f8174357eed871e74
Instruction ID: ab89d1ba0fe1f06436913d2a9ec54db8d0e20f1c39b2b44929bc78e22e5ee07d
Opcode Fuzzy Hash: 075859c4af882d8f75491bf28d11f43a0df1f6702de8e14f8174357eed871e74
Instruction Fuzzy Hash: E6F0AF75904240CFDB108F45E889761FBE8EF15B30F08C0AADD494BB52D3B9E909CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C7F0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a67c1793efdfe1984573f247ad4a7a702177bc3822e54bb6e9cabd91386d7b6
Instruction ID: 9d8e991c1c65a273f4038d1cd2cf50689fbe05b2bfc230ab8c0520c151f7475c
Opcode Fuzzy Hash: 4a67c1793efdfe1984573f247ad4a7a702177bc3822e54bb6e9cabd91386d7b6
Instruction Fuzzy Hash: A291F331B102128FCB04EB74D8916AEB7F2AF89309F144479D906AB395DF38DD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C630 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963de639f05804f8bdfdc699a45bde7b3b4ac9b1c494d29bca7b0a6654bfa0ad
Instruction ID: 2a84e457c6d334b702a5235cb28fcbb59bf149c93b2323a484dcafb156fd019a
Opcode Fuzzy Hash: 963de639f05804f8bdfdc699a45bde7b3b4ac9b1c494d29bca7b0a6654bfa0ad
Instruction Fuzzy Hash: 6F412331B002155FDF05CAA8C891BBEBBA6EB99300F14856AD904CFB82DA30EC4587E1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C7C0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a8f0eae327b16418fc6768eeea80bf68571bf40dff80bfffc1757b22c3e792
Instruction ID: 0054fe4128a25d98a74e2ffb8492f24af89af81b03b0d5b0427b41ce09642747
Opcode Fuzzy Hash: a1a8f0eae327b16418fc6768eeea80bf68571bf40dff80bfffc1757b22c3e792
Instruction Fuzzy Hash: 87212079A183128FCF01DB68D8808AEBFA2BB483067085166DC46C3345DB30EC48CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756801390.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d944958c7c4491209b3041be105f4c63ec429f3dcaafd9278cdb601e526714e2
Instruction ID: 874385d52f60ab94f09be00747ab68ba8fef352b17eae827b94418ed4f4e5104
Opcode Fuzzy Hash: d944958c7c4491209b3041be105f4c63ec429f3dcaafd9278cdb601e526714e2
Instruction Fuzzy Hash: 2311E430204280DFD751DB50C980B26BBA5EB99708F28C59CE9491BB42C777E80BCFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D80736 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756801390.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93dde30b93ffab84c99e7930dbee021b232819aff1f019f63696dbe08b705360
Instruction ID: 3c562a61269b838836331d0ba3ddc1978daccb6349e4422922c4f7b9eccc1196
Opcode Fuzzy Hash: 93dde30b93ffab84c99e7930dbee021b232819aff1f019f63696dbe08b705360
Instruction Fuzzy Hash: 38213B351097C08FC703DB24C950B51BFB1AF4B714F2985DAD8894B6A3C63AA81BDB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D59819 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51308b745d1018006e94e46b666b8432cc1e87a3232f90c6d2c676fb36901046
Instruction ID: 97561d2ab1b11170db8d72b93d1711973a4fdfa4a30bef53a4353c7b5c20040f
Opcode Fuzzy Hash: 51308b745d1018006e94e46b666b8432cc1e87a3232f90c6d2c676fb36901046
Instruction Fuzzy Hash: 72F0A9317082509BDB266234AC16B6D6AD24BCB711F2901AFE901DB3D5CA729C0687A9

Uniqueness

Uniqueness Score: -1.00%

Function 00D805E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756801390.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4831497377b8dc70f017d6d7553d3c631efaff8c50e3d314c09476457102460a
Instruction ID: 6a851bc5f01a9ffb5464d3e7a2eb8c1d4b0e9c0278ca239aa2789052cc20165c
Opcode Fuzzy Hash: 4831497377b8dc70f017d6d7553d3c631efaff8c50e3d314c09476457102460a
Instruction Fuzzy Hash: 7201ADB55487806FC7018B16EC41893BFF8EF8663070984AFEC498B622D239A909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00D59828 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d02132f2f7bd32735d5c5e26912a26d70e0c9d23ccf9148ddfdf4da3f8fe54b
Instruction ID: f231ac3542a1e144c16cc543e7d67f1dd00c5d090ee23d2beff0551d015681ca
Opcode Fuzzy Hash: 7d02132f2f7bd32735d5c5e26912a26d70e0c9d23ccf9148ddfdf4da3f8fe54b
Instruction Fuzzy Hash: 59F0FC3170021097CA2472689811B6E71D687CAB61F35007AE901EF7D4DE72EC0747F9

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C928 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03f89c1ad997a58ad10af8b6407ff72b571d6d1769bb7a48a339c01ecc61a21
Instruction ID: f9644f383d34ade4c6245e00e484e705ed21d5e57fec8dc2a2a67ae270b8b9ea
Opcode Fuzzy Hash: d03f89c1ad997a58ad10af8b6407ff72b571d6d1769bb7a48a339c01ecc61a21
Instruction Fuzzy Hash: D3F0E931B041240FCF01A6B994206EF77E6EBCA355F0505B9D905D7385EF789D09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C728 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abe636bc3ef2642fcbb8f8cd86a8d46eb12f0588feaf80f2a87fcdebce1f2a9
Instruction ID: 58392798ef0bc47c13c7a570a3b87264b2583fcb186f2743d56e341150a17ea6
Opcode Fuzzy Hash: 7abe636bc3ef2642fcbb8f8cd86a8d46eb12f0588feaf80f2a87fcdebce1f2a9
Instruction Fuzzy Hash: B5E02B3230010437D72855AA5C52FFBB68FA7DA368F244036F7088B791CE619C0152B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D80828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756801390.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction ID: c1f512d00e12cc6207baa7d6c2cbcbbdc56f17fd5d6c61198d654b5b4330d862
Opcode Fuzzy Hash: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction Fuzzy Hash: 1CF01D35144644DFC305DB40D980B25FBA2EB89718F24CAADE94917752C737E813DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00D80606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756801390.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0f2938341bc936975496687ab42ab3f54cd4c177bfaf3ec22610a96524f571
Instruction ID: b209e5e01833c100e9f5b82e9898f2a592d5f6e70e4439c49187ad803dd1598a
Opcode Fuzzy Hash: da0f2938341bc936975496687ab42ab3f54cd4c177bfaf3ec22610a96524f571
Instruction Fuzzy Hash: 67E092B6A046005B9750CF0AFC41456F7D8EB84630708C47FDC0D8B711E275B908CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D500A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e397f202f00653c0db73948959b9d5fecd47a492e636363bc0e978809c33e5ae
Instruction ID: 67a0f3c3da0d541a296ca036b85ee390b4c4036b1561f9815e2704ee79f695b8
Opcode Fuzzy Hash: e397f202f00653c0db73948959b9d5fecd47a492e636363bc0e978809c33e5ae
Instruction Fuzzy Hash: 07D0A72234462453D50A31982C1179E364E4787A30F02005AF5059A282CE8A0D0202EE

Uniqueness

Uniqueness Score: -1.00%

Function 00D50070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb92ab456df37ff223dff754428123ee0cde99665e63c378aa54390be683d85
Instruction ID: afe504eba2d31e53a8b79afd135d16f87b887ee765b26d0b22d547911dca8f14
Opcode Fuzzy Hash: dfb92ab456df37ff223dff754428123ee0cde99665e63c378aa54390be683d85
Instruction Fuzzy Hash: 0CC01221300524534A89327551260FE624BCE924A8303007FF11A8A742CF1B8D8206EE

Uniqueness

Uniqueness Score: -1.00%

Function 006923F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755227470.0000000000692000.00000040.00000800.00020000.00000000.sdmp, Offset: 00692000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_692000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2aef786ce693c3d126bd91b4d0eae3dcffcb0fe924688e22641edf619e9383d
Instruction ID: bcbc47df5b8d913972908fe512c95c25b597529776e984a3af2e0eb871e8793c
Opcode Fuzzy Hash: f2aef786ce693c3d126bd91b4d0eae3dcffcb0fe924688e22641edf619e9383d
Instruction Fuzzy Hash: 00D05E79205AC25FD7169A1CC1A4BD537D9AB61B18F4A44F9A8008BB63C768E9D1D600

Uniqueness

Uniqueness Score: -1.00%

Function 006923BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755227470.0000000000692000.00000040.00000800.00020000.00000000.sdmp, Offset: 00692000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_692000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fc87ee2b636c064b6ad0cb9b0f30bea8c2d2b44495404c5e717f2ed12bc844
Instruction ID: c425647dc31869a07d86a560c8e061cd5ba7d2686ac1bed19684a13f6b015ba9
Opcode Fuzzy Hash: 70fc87ee2b636c064b6ad0cb9b0f30bea8c2d2b44495404c5e717f2ed12bc844
Instruction Fuzzy Hash: 28D05E342006824BCB15DA0CC6E4F9937D9AB50B14F0684E9AC108BB62C7A8ECC0CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00D500B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756748956.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_SjMIbKjuDL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e93d3aba2b4cbdcba09869b5d5d454e461f9d0e0743f1a7957aadd52b23eaa
Instruction ID: c7652117aed2d559a7bcb955612e8e1c99218f2fad964ea194261465a9f4ab14
Opcode Fuzzy Hash: b3e93d3aba2b4cbdcba09869b5d5d454e461f9d0e0743f1a7957aadd52b23eaa
Instruction Fuzzy Hash: DCC09B11304D3493485E355D34114AD734F4987D75742045EF50957352CE875D4207DE

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chargeable.exePID: 2836, Parent PID: 6696COMMON

Execution Graph

Execution Coverage:	19.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	54
Total number of Limit Nodes:	3

Executed Functions

Function 05930DFA Relevance: 1.6, APIs: 1, Instructions: 69
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 05930E73

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: decb8b585ec72c81dbae317ab538b1ed5aae470e5d2ce51032ca48d262a4a501
Instruction ID: 52b402bb3f497d1f2d2acc70c90320516d900dab271fbb2f5bd07a5e4bf3417a
Opcode Fuzzy Hash: decb8b585ec72c81dbae317ab538b1ed5aae470e5d2ce51032ca48d262a4a501
Instruction Fuzzy Hash: 2021E0B15093C09FDB12CF21C855BA1BFE0AF06224F1C84DEECC84F153D266954ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05930EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 05930F24

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ebc33fca0b1eeccf806c6dc5dc1af4b44bbe1778fe3e09b0d7a5f77f553f71d4
Instruction ID: 96afb5b2b7dfc614b5d82032b4bdf1eafce6e4ec5ec1f6631085d87c5191e5e5
Opcode Fuzzy Hash: ebc33fca0b1eeccf806c6dc5dc1af4b44bbe1778fe3e09b0d7a5f77f553f71d4
Instruction Fuzzy Hash: D2116071409380AFDB228F55DC44B62FFB4EF46310F0884DAED848B553D275A559DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05930EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 05930F24

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: da1ffc8a2505c3f6f30a9f27ff89cc030dcaaad557037e2c15ce3037665d952c
Instruction ID: 1a6c84191bd4d7bfb9789802d20fb42d717c16d12009e5c6dcf5182ca6672398
Opcode Fuzzy Hash: da1ffc8a2505c3f6f30a9f27ff89cc030dcaaad557037e2c15ce3037665d952c
Instruction Fuzzy Hash: 90019E31900240DFDB20CF95D849B66FBE4FF19320F0888AADD498B616D375E558CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05930E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05930E73

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f77a55d25d5f4009c782998293eb5952cd075f945740b010955fa1032be35884
Instruction ID: 901ff42923faf47c5b2f2958e5fa1053be159f350383c1f3d96a870cf724f7d5
Opcode Fuzzy Hash: f77a55d25d5f4009c782998293eb5952cd075f945740b010955fa1032be35884
Instruction Fuzzy Hash: 01018F71A04244DFDB20CF55D889B65FBE4FF49320F08C8AADD498B656D375E408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017B00D0 Relevance: 9.1, Instructions: 9148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e0b402c04cebe114dc1dbcfac1d6ccb2265ff8144b3db331a0c0b43d692ecf
Instruction ID: 89278d17b79e7896e24333164486c4a184af1e8814421692395068c311e8c786
Opcode Fuzzy Hash: 61e0b402c04cebe114dc1dbcfac1d6ccb2265ff8144b3db331a0c0b43d692ecf
Instruction Fuzzy Hash: A1142834601704DFD765DB30C854A9AB3B2FF99304F6188A8D55AAB360DF36AE86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 017B00E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d7dcb91805a3e4d11ae1f12c510e5c66b0d5e7ced50f759c173f8af5516107
Instruction ID: 7190cb333206af68c2fc411068b6665161822b6fa6729272de1af735c17c9c9b
Opcode Fuzzy Hash: c2d7dcb91805a3e4d11ae1f12c510e5c66b0d5e7ced50f759c173f8af5516107
Instruction Fuzzy Hash: 1B142834601704DFD765DB30C854A9AB3B2FF99304F6188A8D55AAB360DF35AE86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 017B98A0 Relevance: 2.7, Instructions: 2696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef39b1d96a44da60ec25ed9686f11615651ba3da5fa86719467bf4100960640
Instruction ID: 4832b0655618b65fa1ca3a8ebe9b6f91177ac539306c0d74b051689569f667e4
Opcode Fuzzy Hash: 5ef39b1d96a44da60ec25ed9686f11615651ba3da5fa86719467bf4100960640
Instruction Fuzzy Hash: E133C3383069218B871ABF20D55495E7BA6FF8855C3548345C90197B88CF3EAF4F9BC6

Uniqueness

Uniqueness Score: -1.00%

Function 05930CA1 Relevance: 1.6, APIs: 1, Instructions: 121
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 05930DA4

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e327b8e791628ad85cf86b4bb513cfd320faea018c8cb66b79450fe023153c52
Instruction ID: 34582246d21c78a000fb5bcbec8b124296fff69d7191e6f685509f167c8010ea
Opcode Fuzzy Hash: e327b8e791628ad85cf86b4bb513cfd320faea018c8cb66b79450fe023153c52
Instruction Fuzzy Hash: 38418072504340AFEB22CB65CD45FE2BBFCEF05710F04499AF9898B5A2D265F949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05930CDA Relevance: 1.6, APIs: 1, Instructions: 97
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 05930DA4

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1d95e9ddf06ff064b539cafec8f17709a79e579c6ac373e60807b59e88af446e
Instruction ID: 2589f642d47479610860894e181537ec494d4ef8aa8598c5819c12c063413e67
Opcode Fuzzy Hash: 1d95e9ddf06ff064b539cafec8f17709a79e579c6ac373e60807b59e88af446e
Instruction Fuzzy Hash: B4318076600304AFEB21CF65CD85FA6F7ECEF08710F048959EA498A691D771F549CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0147AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0147ACD1

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 858d3087ecb76fbfbf3fd455ec489c37a030f90ddac1af45e4f9e65f9d011bc3
Instruction ID: 3dda732d8eca44f611f2be4e056c881d96405ead1ca51f8d2ce470d36f4c8ff6
Opcode Fuzzy Hash: 858d3087ecb76fbfbf3fd455ec489c37a030f90ddac1af45e4f9e65f9d011bc3
Instruction Fuzzy Hash: B031B471508384AFE7228F65DC45FA7BFBCEF06210F08849AE9858B653D264E94DCB71

Uniqueness

Uniqueness Score: -1.00%

Function 0147AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E3641AB6,00000000,00000000,00000000,00000000), ref: 0147ADD4

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 883e0aa9b42b6a38dcf3082817611286d62d47ec5c214cfd41931b89192ba89f
Instruction ID: 27bd63374b4fcbe664fec03a71fbd0349970253500351b47d183099d6e88e21b
Opcode Fuzzy Hash: 883e0aa9b42b6a38dcf3082817611286d62d47ec5c214cfd41931b89192ba89f
Instruction Fuzzy Hash: 8531A1715083845FE722CF65CC44FA7BFB8EF46210F18849AE9458B663D260E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0147A2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0147A346

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d2635ca865ea0dba5e7a95925ffc611f8301835c4497db0a4523c0ad3df92cec
Instruction ID: 5355277a26b5ad9bf031b5102880a8b60fe342bfa747c5691bc35948d7353ffe
Opcode Fuzzy Hash: d2635ca865ea0dba5e7a95925ffc611f8301835c4497db0a4523c0ad3df92cec
Instruction Fuzzy Hash: 6D21F67150D3C06FD3138B259C51B62BFB8EF87620F0A41CBE884DB693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0147AC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0147ACD1

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 02588f121533389be870774bcaf577b483456bf065de4f945b70520f6434dd55
Instruction ID: f20b6747efdd08a7855a89f7839a5094f6700be3c71280c237c8c0fd8bb146fb
Opcode Fuzzy Hash: 02588f121533389be870774bcaf577b483456bf065de4f945b70520f6434dd55
Instruction Fuzzy Hash: 3721CF72504204AFE7219F55DD84FABFBECEF04214F18845AE9458BA52D334E94D8AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05930431 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 059304B3

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ba4d87fa5abfd347bef64c37e2cf291e16bfc2b40290872ca1de580281debf39
Instruction ID: ab5b86e3deaaad525347fcfdb7f62b236ba4f1764e84179a40997d72a053b66e
Opcode Fuzzy Hash: ba4d87fa5abfd347bef64c37e2cf291e16bfc2b40290872ca1de580281debf39
Instruction Fuzzy Hash: 752174716087849FDB22CF25DC45B62BFF8FF46210F09849AE9858F563D275E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0147AD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E3641AB6,00000000,00000000,00000000,00000000), ref: 0147ADD4

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b3bead653045e0bc51f8e149aa2aa4cbf925fc6658ec9dcbafb8c99e369c0458
Instruction ID: 102178ba8094c83cc8149506d71e893d2ed4e2986caa96513333b9936b27eb65
Opcode Fuzzy Hash: b3bead653045e0bc51f8e149aa2aa4cbf925fc6658ec9dcbafb8c99e369c0458
Instruction Fuzzy Hash: C0218E75600604AFE721CF55CC84FE7B7ECEF04620F18845AE9458B762D770E949CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0147BAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 0147BB2C

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e51bb9309954617d47cb4d068350548b751dbcfffcbeae0a8a22db1a7da4ebf7
Instruction ID: 5994deff5e93c0109733a90355bd248823ac63e7deeb887c7fef91a1bd24f852
Opcode Fuzzy Hash: e51bb9309954617d47cb4d068350548b751dbcfffcbeae0a8a22db1a7da4ebf7
Instruction Fuzzy Hash: 70215E715093C05FDB128B25DC94792BFB4EF47214F0D84DAED848F667D264A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0147B42D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0147B4A9

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1f0a725e17e22835ac02f603f330f0842e5583f3df529bbcfec9b656629e8b8c
Instruction ID: 38888f88c998ceec589d40a9348c378c669ae517286a73bfc8d25b513ebd9aa6
Opcode Fuzzy Hash: 1f0a725e17e22835ac02f603f330f0842e5583f3df529bbcfec9b656629e8b8c
Instruction Fuzzy Hash: F22181B15093805FDB22CE15DC45B63BFF8EF46614F08809AED848B263D275E908C761

Uniqueness

Uniqueness Score: -1.00%

Function 0147BC4B Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0147BCBF

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 59e28dc74b4bd9f2a923badb7331bb24589e1a75a9d567ed79ddaf5bc16f8e16
Instruction ID: 7988eff840ab7c66a309ad1c9bd96169621e3c7bae4487d135b1a752ef37f184
Opcode Fuzzy Hash: 59e28dc74b4bd9f2a923badb7331bb24589e1a75a9d567ed79ddaf5bc16f8e16
Instruction Fuzzy Hash: 4A21A5B19093849FD712CF25DC45B52BFF4EF46210F0984DAED848F263D274A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05930006 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05930082

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 42e5434a0ac30719a05e97e04a86494445a5ff7eba86031d0eb919c9462c9782
Instruction ID: 0efbbaa975316994d905754ed7572ed04f8c8df9452fd20174613599dcea902d
Opcode Fuzzy Hash: 42e5434a0ac30719a05e97e04a86494445a5ff7eba86031d0eb919c9462c9782
Instruction Fuzzy Hash: 0B11E271544340AFC3118B15CC41F72BBB8EF8A620F0581AAEC488BA42D274B959CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05931009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0593107D

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0f96f80116f77ddcb0971b82788c037fb2b0ac61f42781b85fd49e671162bdce
Instruction ID: cdb91e525b9d8eedb3118e843b4c0ac1faa8dfafc26216616d8ecccaac551cc7
Opcode Fuzzy Hash: 0f96f80116f77ddcb0971b82788c037fb2b0ac61f42781b85fd49e671162bdce
Instruction Fuzzy Hash: AD219D715093C09FDB238F25CC45A62BFB4EF07210F0984DAE9848F563D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0147A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147A666

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1befce8ec70cba748b464d7566260476f1af0e526b14d7e8c51977ef7858c8da
Instruction ID: 70cad0c720331a69e530e60c3ae683a0a1ed1ba89a9018fab6f9e8ed8f893a82
Opcode Fuzzy Hash: 1befce8ec70cba748b464d7566260476f1af0e526b14d7e8c51977ef7858c8da
Instruction Fuzzy Hash: 7E11A271409380AFDB228F55DC44B62FFF4EF4A210F08889AED898B563D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0147BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0147BD75

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 55138433b67c08b836f7e75456fc28981826cfdc026d11081956a87082316c6f
Instruction ID: fc2e27bd31a6279773089ef16653b0bfc0e6558e8fdea6307afaf83da2e43f65
Opcode Fuzzy Hash: 55138433b67c08b836f7e75456fc28981826cfdc026d11081956a87082316c6f
Instruction Fuzzy Hash: B3116071504380AFDB228F15DC45B63FFB8EF46624F08809EED858B663D271E919CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0593139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05931405

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f92d3c67a1ed449c53aab3daf1ca87f5d6913243cdeb3598f1e04b51c66bd0b4
Instruction ID: 66c1b75df30e1adc3b6adbc8cd21ad7e6ece003769c0c1f3a414997c8c4223a4
Opcode Fuzzy Hash: f92d3c67a1ed449c53aab3daf1ca87f5d6913243cdeb3598f1e04b51c66bd0b4
Instruction Fuzzy Hash: 1211D071548380AFDB228F11DC45B62FFB4EF06224F08849EED458B563D265A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05930462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 059304B3

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 6586af287850a6fc0daffa6f0deee8ed13a23a6f13f15aa9b4f1539c8e0af2be
Instruction ID: 602a37e5fff7414c60f86d3c48c48c022fe161be6193e081d8fde2b897b46241
Opcode Fuzzy Hash: 6586af287850a6fc0daffa6f0deee8ed13a23a6f13f15aa9b4f1539c8e0af2be
Instruction Fuzzy Hash: 09117075600304DFDB20CF55D889B66FBE8FF08220F08886ADD498B652E375E504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0147A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0147A480

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 924ca19fb5648658df6fcff357d676508a047e1ab5737a617aa9bb83edd0eb30
Instruction ID: e03749390cca205c654a29fbe1dab246b00b6911f63c7ba997cc41d6d6d51d65
Opcode Fuzzy Hash: 924ca19fb5648658df6fcff357d676508a047e1ab5737a617aa9bb83edd0eb30
Instruction Fuzzy Hash: EE018475908384AFD722CF15DC44B62FFB8EF46620F0880DAED854B263D275A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0147B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0147B4A9

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: aae7e3e08d49f216d894bb9de355a26b6984d221f2b698d4b2be6b3bc312874f
Instruction ID: 1661a1c89fad94bd004720b24bf2fc227b5d19260aa53d380495f6b5dc2c977d
Opcode Fuzzy Hash: aae7e3e08d49f216d894bb9de355a26b6984d221f2b698d4b2be6b3bc312874f
Instruction Fuzzy Hash: 5E0152759002449FEB60CF19D845BA3FBE8EF15620F0884AADD498B762D775E409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0147BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0147BD75

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 0f48952a870fc361aad06ca4a94c5d52223eed21e746948b3312c858a8009f58
Instruction ID: 5fb1a3b89da905aa4be29fc09b2608b1de0d0c7b5e51e02b723d49f24850c83e
Opcode Fuzzy Hash: 0f48952a870fc361aad06ca4a94c5d52223eed21e746948b3312c858a8009f58
Instruction Fuzzy Hash: 8701B571A00640CFDB61CF1AD845B96FBE4EF55620F08C05ADD458B762D271E459CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0147A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147A666

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 57e6803ad713aee1f86493d706cc89f303fe95c7ff693589e94818c04a952325
Instruction ID: ba8af44392330e46aff61d8c820fb7cd0f8b7dab1cd60c73976deaa8981ff585
Opcode Fuzzy Hash: 57e6803ad713aee1f86493d706cc89f303fe95c7ff693589e94818c04a952325
Instruction Fuzzy Hash: 6F01AD32900600DFDB21CF95D844B66FBE4EF48320F08C89ADE894B622D375E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0147BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0147BCBF

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 6496a708da68e8d9cf0815f3d7e9a9472d5c418152c3d4011b5ffe6017d09043
Instruction ID: f18689d8cfe5406363201460a0c6582c0941e810e4d42f49c3e4f858a2716182
Opcode Fuzzy Hash: 6496a708da68e8d9cf0815f3d7e9a9472d5c418152c3d4011b5ffe6017d09043
Instruction Fuzzy Hash: 0601D471900240DFEB20CF19D8857A6FBE8EF04220F08C4AADD49CB352D675E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0147A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0147A346

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d9c8f1914cffd92fc18f7de13417fe970b62afcc4e189304728ed5cffd1bde34
Instruction ID: 258bd97a0f4ddceaf693134b4a709c2ef960e612b26ec778a15c67eb739fb03a
Opcode Fuzzy Hash: d9c8f1914cffd92fc18f7de13417fe970b62afcc4e189304728ed5cffd1bde34
Instruction Fuzzy Hash: EF01A271A00200ABD310DF16CD86B66FBF8FB88A20F148159ED089BB41D771F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0147BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 0147BB2C

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5baf9ff1949e7083f1b4e7db32a4c08ca3b79e26cb010a860764d24f38f04fd4
Instruction ID: d84daf1fe6a41006e6db65e074f53e41b2750e64d936861cfbc6a596b67b2b0e
Opcode Fuzzy Hash: 5baf9ff1949e7083f1b4e7db32a4c08ca3b79e26cb010a860764d24f38f04fd4
Instruction Fuzzy Hash: 62018471A002448FDB60CF59D9857B2FBE4EF45220F08C4AADD49CF75AD274E404CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05930032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05930082

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 8698322b0bba81bf5f5b817bcf8d7e4c4788fa3226bcc2f8b6ea274e4c3ae1d1
Instruction ID: c4602fde71dd0c6d672a6c93e165122833a2619ec2f151533409046f4974fce1
Opcode Fuzzy Hash: 8698322b0bba81bf5f5b817bcf8d7e4c4788fa3226bcc2f8b6ea274e4c3ae1d1
Instruction Fuzzy Hash: 2A01A271A00200ABD310DF16CD86B66FBF8FB88A20F14811AED089BB41D771F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 059313CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05931405

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1b6df62d08df031d712b571d6811fb3a39bd9c40da589bb20a44c0485459dbfe
Instruction ID: 446c4fbe4b505f13efcb37f3ea0988600d8f13c2775aba7d82f525a8798b58d0
Opcode Fuzzy Hash: 1b6df62d08df031d712b571d6811fb3a39bd9c40da589bb20a44c0485459dbfe
Instruction Fuzzy Hash: 7101B132900240CFDB20CF55D845B66FBE4FF15220F08C4AADD454B662D371E458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05931042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0593107D

Memory Dump Source

Source File: 00000002.00000002.1791544592.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5930000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4f0e59abc984a29c9be619b3c78a9071a1a553d511c5c386c44ef0b191bacf34
Instruction ID: 253a70ecc228eb7923241e1e208d3f7f20b161378434c3e93fa997bb8576ea5e
Opcode Fuzzy Hash: 4f0e59abc984a29c9be619b3c78a9071a1a553d511c5c386c44ef0b191bacf34
Instruction Fuzzy Hash: D1018B35900280DFDB20CF46D885B62FBE4FF19220F08C49ADE890B662D375E458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0147A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0147A480

Memory Dump Source

Source File: 00000002.00000002.1789697252.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2f9d59ac7534328b4869a614d3b2ebc4fc598c500d854ce266dd745388dcdfb0
Instruction ID: 44636f374de9e29c387e8c56c7350113615fe1c6c303c7784f4bad09057f1d4e
Opcode Fuzzy Hash: 2f9d59ac7534328b4869a614d3b2ebc4fc598c500d854ce266dd745388dcdfb0
Instruction Fuzzy Hash: A3F0A475904244CFDB20CF05D8897A6FBE4EF55220F1CC0AADD494B762D275E449CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 017BCE20 Relevance: 1.3, Instructions: 1282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed488632cfdf814afa01f42e69e3f1be1773531732561a6d1d50cb8ef11da00
Instruction ID: b493a66fd55ff88e310361a3ee6ebedc8611ce60b4ada79817a93efab63efab2
Opcode Fuzzy Hash: 3ed488632cfdf814afa01f42e69e3f1be1773531732561a6d1d50cb8ef11da00
Instruction Fuzzy Hash: 1FB14F75E002099FDB15CBA9D885BEDFBF2EF98314F14C06AE515AB2A1D7319C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017BC7F0 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1871e20ff875f20d987f2702f95d36c56f9cefa51a013b602d844d7a5fbe0681
Instruction ID: e84a2044b446fd532698f1494dd7bb215b79e7b72ec67609778b95b679aebec7
Opcode Fuzzy Hash: 1871e20ff875f20d987f2702f95d36c56f9cefa51a013b602d844d7a5fbe0681
Instruction Fuzzy Hash: 2C91C431B012118FCB16DB78D4916EEB7B2FF89218F10846AC506EB7A5DF389D09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017BC630 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d566566e4cbd612582795be009f25c06a2ed461d8b0b07f94ee7bea1e793435
Instruction ID: 94232124ff5031338a8910c986a9007da7a4edb0885525aecdad8acdea3e8594
Opcode Fuzzy Hash: 0d566566e4cbd612582795be009f25c06a2ed461d8b0b07f94ee7bea1e793435
Instruction Fuzzy Hash: 6B4103317002515FDB06CAA8C891BFEFBA2EB95304F18C56AD144CF786DB74AC0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 017BCB00 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217699b666c87b25bd792f5fc202a3fa4f61084f9fd1a2dcdc3be81d37ae1fcd
Instruction ID: 795c5f36d8af5158dae3254097f50717d1ea6e57c6d75a6bcb8d1c957bc03705
Opcode Fuzzy Hash: 217699b666c87b25bd792f5fc202a3fa4f61084f9fd1a2dcdc3be81d37ae1fcd
Instruction Fuzzy Hash: 3E410631B042458BDB279B7884987FEBFA2AB89210F15806ED502EB351DF348805DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017BC77F Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d770f0fa26d01449ae2a5800e1b6d487392edf0c0716179ead306357c7bf38
Instruction ID: ffd68ca40b0421430a72c5ca7bbc991e144257a7e53d057ce41507756f6ce73a
Opcode Fuzzy Hash: c9d770f0fa26d01449ae2a5800e1b6d487392edf0c0716179ead306357c7bf38
Instruction Fuzzy Hash: C241E670A093428FCB23DB78D890AEEFFB1FF59214B14816AC541DB296D7349D48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017BC7C0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4db96b7bcb15fde97a7a458497070906ce021e1a6030dff3bba6dc90535662
Instruction ID: 5758a8be3ccf6917bdb91a4afbf8eba15aec1a17f1fa4574bb827d6cc40394e5
Opcode Fuzzy Hash: de4db96b7bcb15fde97a7a458497070906ce021e1a6030dff3bba6dc90535662
Instruction Fuzzy Hash: 4C312371B052128FCB22CB68D8C0AEEFBA2FF482287148269D515D7795DB34ED44CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 017BCC9F Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6634396c284a2712b29d60f5befd1cdffa4bacb231ef3b5a1d41de321409f91a
Instruction ID: d7905e649e57f3fe3c864a6b26f7de4051033966b0dc34517cd6a5f099a4dce9
Opcode Fuzzy Hash: 6634396c284a2712b29d60f5befd1cdffa4bacb231ef3b5a1d41de321409f91a
Instruction Fuzzy Hash: 1B21D271E002569FCB01CBB48895AEEFFB6EFA9210F14846ED601A7255DB344805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017B0016 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864d336d7dd8d419908fefd3a03edc4fa91d6f5b65b94641ffe0477513fb4c70
Instruction ID: 1bbbf4212b3e38a1fddbbcaac03a36cdb43d9c7f9b37ef061d7af1daee672ba9
Opcode Fuzzy Hash: 864d336d7dd8d419908fefd3a03edc4fa91d6f5b65b94641ffe0477513fb4c70
Instruction Fuzzy Hash: 7E11EE2158E7C05FCB83AB7048A50AABF719E5711430E40EFD4C9CF1A3DA2E884AC363

Uniqueness

Uniqueness Score: -1.00%

Function 01A70734 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790993989.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a70000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a61c198f9c7669047e271b203711aff003a40a64c0a328b402a3b969c3236e
Instruction ID: 46acc7089de675ead8309b43409141df6b654559d2c8c8b09798a3f513402cdc
Opcode Fuzzy Hash: 75a61c198f9c7669047e271b203711aff003a40a64c0a328b402a3b969c3236e
Instruction Fuzzy Hash: 2421793110D7C18FC7138B64CA50B51BFB1AF47604F2985EAE4884BAA3C63A9916DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A7076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790993989.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a70000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb8f07a69eadde83c2a68149f99f1baa431f3a3099205f50224734faa7e7071
Instruction ID: a61ddd2cebdc1b405a286cd7afdda1b2b8fb27c4ba7c3789088935b68f4f386f
Opcode Fuzzy Hash: ceb8f07a69eadde83c2a68149f99f1baa431f3a3099205f50224734faa7e7071
Instruction Fuzzy Hash: D211E430204680DFD711CB54CE80B26FBA1EB8A708F28C99CF9491BB42C737D903CA81

Uniqueness

Uniqueness Score: -1.00%

Function 017B9819 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e13d4f7a64faea0a6fbc8c9abe6961113d58133a8680e692aa1f503d3677bf4
Instruction ID: b04247520eb7002c44c5cdddbe970e1b1351c3b616047b7bb5cae27e2da7fd8f
Opcode Fuzzy Hash: 2e13d4f7a64faea0a6fbc8c9abe6961113d58133a8680e692aa1f503d3677bf4
Instruction Fuzzy Hash: E401F731B863509FC72252285851BADBFA18F8A714F2500AFD700EB3A2CB649C0683A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A705E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790993989.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a70000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f167a63b418f1354002f3bd1cfb06fdc7dab656366c60b43f7da0044e400b24
Instruction ID: 10f1e77e1769f82d59c9b680e19b23e90486dea6a6084de0cb6c265bc808d3b1
Opcode Fuzzy Hash: 0f167a63b418f1354002f3bd1cfb06fdc7dab656366c60b43f7da0044e400b24
Instruction Fuzzy Hash: DA01D6B65083806FC711CF55AC40893FFF8EF8623070984ABEC488B612D135B949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017B9828 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb43b6bd40ae474dcf78988b2850addbc35295af56167f754d504e80160e7384
Instruction ID: ab909d19d50dd2c2c0f8c89513b3d2c3426a82cd35a50da790af51ce8c0218b8
Opcode Fuzzy Hash: eb43b6bd40ae474dcf78988b2850addbc35295af56167f754d504e80160e7384
Instruction Fuzzy Hash: FDF04632B4021097CB3462AD9801BAEB1D6CBC9B54F20002AE701EF3A4CF71EC0743E9

Uniqueness

Uniqueness Score: -1.00%

Function 01A70828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790993989.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a70000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction ID: b06cdd45edf6d5ea7141fb6c9b2f4617cab7570ca8a55d030c75de137a1030ad
Opcode Fuzzy Hash: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction Fuzzy Hash: 03F01D35144644DFC306CB44DA80B26FBA2EB89718F24CAADE9491B752C737E913DE81

Uniqueness

Uniqueness Score: -1.00%

Function 01A70606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790993989.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a70000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27065834d3679c14a280e1dd80d247470bd943d2604b018833b3ea63da106050
Instruction ID: bde98b01834d917977c80e13c33937b41434d21e3e4b61c68743a44bdb6d0a1a
Opcode Fuzzy Hash: 27065834d3679c14a280e1dd80d247470bd943d2604b018833b3ea63da106050
Instruction Fuzzy Hash: 58E092B6A006445B9750CF0AEC41452F7E8EB88630708C47FDC0D8B701E275B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 017B00A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1bcdd690bb67d51945bccb6627ea0d3a1db2bb968fb9dac2f97fc64227ca57
Instruction ID: 99dd30a279cc4e1a99527955fa552f1fe06b4cc924cecf259b3195d219a5bae3
Opcode Fuzzy Hash: af1bcdd690bb67d51945bccb6627ea0d3a1db2bb968fb9dac2f97fc64227ca57
Instruction Fuzzy Hash: 5ED0A7726845205BCB0E21A838104FD67998BF7630B11005FD006D62A2CE5D0D0343D5

Uniqueness

Uniqueness Score: -1.00%

Function 017B0070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee06db44795ed59f37a659779d955d9aa49f5e95e1ba1cde4426ded9bc58af5
Instruction ID: af6efd76f1289eb68f1c1ed3c141e9f4f1106bc472739df499b85d895fb4e15b
Opcode Fuzzy Hash: eee06db44795ed59f37a659779d955d9aa49f5e95e1ba1cde4426ded9bc58af5
Instruction Fuzzy Hash: 95C01221300524530E4933B651254FE674ACE62498703007FE11A8A742CF2B894202EA

Uniqueness

Uniqueness Score: -1.00%

Function 014723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1789673423.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1472000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e11ca13e783581a9f3ccfcbb594c5742e3f9027264b1d13cd567cd0c72e76a2
Instruction ID: 88ae8ccff894a75ad6eb9bf3c3cd40d57d40b201852e94b59677b46e45437d26
Opcode Fuzzy Hash: 9e11ca13e783581a9f3ccfcbb594c5742e3f9027264b1d13cd567cd0c72e76a2
Instruction Fuzzy Hash: 30D05E7A205AD18FE3169A1CC1A4FD63BE4AB61714F4A44FAA8009B773C7A8E5C1D600

Uniqueness

Uniqueness Score: -1.00%

Function 014723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1789673423.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1472000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf77add47f577ccf1576fdedc630c54c085f13e4018bf2b79219fdc612061bbc
Instruction ID: 277b8c12efddbd533e2cdef113399d27a395c93011b637edd8b33a3f8dd4b870
Opcode Fuzzy Hash: bf77add47f577ccf1576fdedc630c54c085f13e4018bf2b79219fdc612061bbc
Instruction Fuzzy Hash: 8BD05E342006814BD715DA2CC6D4F9A3BD4AB50B14F0644EDAC108B772C7B4E8C0CA00

Uniqueness

Uniqueness Score: -1.00%

Function 017B00B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1790789799.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_17b0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d319de211b6b8ccb7a5a34f7816a201ae2d4ecc9f120b3f2ce9442cae0857169
Instruction ID: a4de4ae21a62c5e2e2cbfbf9f6c7691ff8dec1219147e7b06b0b8cc0f8e76b6b
Opcode Fuzzy Hash: d319de211b6b8ccb7a5a34f7816a201ae2d4ecc9f120b3f2ce9442cae0857169
Instruction Fuzzy Hash: C4C09B71344535530D1E35DE38504AD774D49F7C65B41055FD50957361CE565D0203DE

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chargeable.exePID: 6472, Parent PID: 2836COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	130
Total number of Limit Nodes:	5

Executed Functions

Function 056228DB Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0562295B

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b3e7282008228c9dee8d013edc0ef7400bd376b41f356ef433c2e7254b971d59
Instruction ID: 1d0a50843ab2129553b294aebd689eb7663a7ca0febdbf048edd58cab1e30fa1
Opcode Fuzzy Hash: b3e7282008228c9dee8d013edc0ef7400bd376b41f356ef433c2e7254b971d59
Instruction Fuzzy Hash: 7C21BF765097809FDB128F25DC44B62BFF4FF06320F08849AE9858B663D234E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05622912 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0562295B

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 0794141c951b41dd0df77bc2e7a948e299bff0a94647141e1f915790a06a112e
Instruction ID: 393c6b455cead1094235b56925712305247e9c0f247567c1ebc6fcb2b6726607
Opcode Fuzzy Hash: 0794141c951b41dd0df77bc2e7a948e299bff0a94647141e1f915790a06a112e
Instruction Fuzzy Hash: 46115E76A006449FDB20CF56D884B66FBE4FF09220F08C46AED458BA52D335E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0562063F Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4350a44db343b0ea65115971c3e1847c0ed03c639e29afdf37199e44d8d5f5e0
Instruction ID: 908ef013812e55cf47ec64d89b635e07c689a2df741bc11755db41f4625b324d
Opcode Fuzzy Hash: 4350a44db343b0ea65115971c3e1847c0ed03c639e29afdf37199e44d8d5f5e0
Instruction Fuzzy Hash: 3541D27240D3C05FD7138B259C49BA6BFB4EF07224F0985DBE9848B6A3D265A90DC762

Uniqueness

Uniqueness Score: -1.00%

Function 054D0B68 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 054D0B8F

Memory Dump Source

Source File: 00000003.00000002.4137587177.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_54d0000_chargeable.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 635c4fe5880a6944564aa3ddfb90abbc9151529dee4424fa03ac17bbcb1cc001
Instruction ID: 654f543801280054cc52304cebc271fba2dace9a00b51227ba79c47fad808c51
Opcode Fuzzy Hash: 635c4fe5880a6944564aa3ddfb90abbc9151529dee4424fa03ac17bbcb1cc001
Instruction Fuzzy Hash: FA415535A002058FCB18DF79D9985DDB7F2EF88214F1480AAD409DB35AEB34DD85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054D0B58 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 054D0B8F

Memory Dump Source

Source File: 00000003.00000002.4137587177.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_54d0000_chargeable.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 601ceba975784c3f89db52d0a8500955186febd0c981693bfe3b9c321afc30bb
Instruction ID: 14262ad59949045315d8daeb70b562a81943fc21e638b5257bfe9985ff55007d
Opcode Fuzzy Hash: 601ceba975784c3f89db52d0a8500955186febd0c981693bfe3b9c321afc30bb
Instruction Fuzzy Hash: DC414635A102058FCB58DF79C9986AEB7F2EF98214F14806AD809DB359EB34DD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0163B8CA Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0163B989

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9da90fbb5a4df34a07054d0ec9c650b2f4f1376c727255977c61047842c7b9aa
Instruction ID: deb1ee8477b8ad054e7115ba3b89e72e28bab8aae3bc7fafc2e72641f2610d0b
Opcode Fuzzy Hash: 9da90fbb5a4df34a07054d0ec9c650b2f4f1376c727255977c61047842c7b9aa
Instruction Fuzzy Hash: 8931B271508380AFE722CF65DC44BA2BFE8EF46310F08849EE9858B652D375E409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05622136 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 056221FD

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8cb3372245cd73954ea9e7cba0626e6f977a724f5aa3091e75cb4906a8e4c4e8
Instruction ID: 4207048957edd316ab40b2445a8551515e2d9f2a9d62cdf84b087dc94a9dfd5c
Opcode Fuzzy Hash: 8cb3372245cd73954ea9e7cba0626e6f977a724f5aa3091e75cb4906a8e4c4e8
Instruction Fuzzy Hash: A6319E76504744AFE722CF65CC44FA7BBFCFF05210F08459AE9858BA62D324E948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163BE37 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0163BEFE

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 07e7ffc4b141f66aefc78009e69426b5e59118c35e8b658e822f1dc0903883ad
Instruction ID: cb2c9e7ff9a1dbd43c434c5945db8b947ca2ed07f1d75265f5c630e2ae59a801
Opcode Fuzzy Hash: 07e7ffc4b141f66aefc78009e69426b5e59118c35e8b658e822f1dc0903883ad
Instruction Fuzzy Hash: 06316F7550E3C06FD3138B258C65A61BFB4EF87610B0E45CBD9C48B6A3D2296919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0163A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0163A879

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f3c9c55e1269baca47a619c1730db7c04ab5dd7ecd5db9c9b5d7a1f0ebd8fa2b
Instruction ID: afed9dcaf502a9128e66353641d8e1ac048eb9a5c8230bb1d6287c0d1834e17f
Opcode Fuzzy Hash: f3c9c55e1269baca47a619c1730db7c04ab5dd7ecd5db9c9b5d7a1f0ebd8fa2b
Instruction Fuzzy Hash: 2631B1B24083846FE7228B658C44FA7BFBCEF46210F08459AE984CB653D364A90DC7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05620D54 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05620E1B

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 731ce8901e1428eb723a6f853836daa7c9d8ed0ba4cf4701bee72f889d17e478
Instruction ID: 44bfcdfe88a66637e9fb38a98aa52d63335b2235dd33bbd56cc8f83c5765b40c
Opcode Fuzzy Hash: 731ce8901e1428eb723a6f853836daa7c9d8ed0ba4cf4701bee72f889d17e478
Instruction Fuzzy Hash: F031CFB2504340AFE7218B51DC84FA7FBACEB44720F04489AFA489B691D375A94CCB60

Uniqueness

Uniqueness Score: -1.00%

Function 05620C4C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05620CE9

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 60bbb1ee469bae3e60bc5dfd5f4bdb4f791e4bac2842e80c6e1e93fd784dcfeb
Instruction ID: 51ff77dbbeb1ec7333f41b5319b2a786bca2f3feb7bc656472c744fd6a31be56
Opcode Fuzzy Hash: 60bbb1ee469bae3e60bc5dfd5f4bdb4f791e4bac2842e80c6e1e93fd784dcfeb
Instruction Fuzzy Hash: 2031E5B65097806FD7228F21DC45FA6BFB8EF46324F0884DAE8848F592D234A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05620548 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 056205DF

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: a37771b9058686f4329b554afdf4d040e494bfc26426caf0708c682b50fe064e
Instruction ID: 91a2bc65088d776770211411d5a81597b633de792073d251d79662088397c2e3
Opcode Fuzzy Hash: a37771b9058686f4329b554afdf4d040e494bfc26426caf0708c682b50fe064e
Instruction Fuzzy Hash: A631BF72509384AFE7218F65DC45FA7BBB8EF45220F0884AAE944DB652D324A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0163A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0163A6B9

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: da9382cfdfa04a327ca586028835d46c1379ab84d69c7017764c2ff17fbf835e
Instruction ID: 8f40267b63b8903333b9091abad51b0e13b525aa50f41c1ca3e408a8618633b7
Opcode Fuzzy Hash: da9382cfdfa04a327ca586028835d46c1379ab84d69c7017764c2ff17fbf835e
Instruction Fuzzy Hash: 8E31B3B55093805FE712CB65CC85B96FFF8EF46210F08849AE984CB292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 05622162 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 056221FD

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 778ee849586d09cdbe6e98d10326768f58a0acef17875d5f6ab8f6cd1d575b36
Instruction ID: 3a10773b152575a464253019041106edf22eba58cd75425e7667e1935301c5f1
Opcode Fuzzy Hash: 778ee849586d09cdbe6e98d10326768f58a0acef17875d5f6ab8f6cd1d575b36
Instruction Fuzzy Hash: 77219C76500604AFEB21CE56CD44FABBBECEF08224F08855AEA45C7A51D720E549CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0163A97D

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: e00353519727c5ef6370d9b4e457170d63551dce299da3fdc8cd9bd103dbd708
Instruction ID: 3290c455061fc711e4c1413da24dd8ad3cc3d9fe341baa6d86924c3b5b353e16
Opcode Fuzzy Hash: e00353519727c5ef6370d9b4e457170d63551dce299da3fdc8cd9bd103dbd708
Instruction Fuzzy Hash: FE31F672404380AFEB228F61CC45FA2FFB8EF46310F08849AE9848B593D375A50DCB65

Uniqueness

Uniqueness Score: -1.00%

Function 0163A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163A40C

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 31f1c1aef001789e7c5319dd16c2283677cecd07f6ec7568971ea7cdc58b1c39
Instruction ID: 9d2f559e441211f4bc54c1b029c3396fc2c19847b9d81afd7aa10887ecc206ab
Opcode Fuzzy Hash: 31f1c1aef001789e7c5319dd16c2283677cecd07f6ec7568971ea7cdc58b1c39
Instruction Fuzzy Hash: 74318175509780AFE722CF55CC84F92BFF8EF46310F08849AE985CB692D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05620D76 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05620E1B

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 078e485bb0935dd80b0a61e614ca44f2416fd0282a59bfd66517051fa163adc5
Instruction ID: b430a0526de585c15b6caa650b11bf5710ba6f48109c87edec03b9fc4d990108
Opcode Fuzzy Hash: 078e485bb0935dd80b0a61e614ca44f2416fd0282a59bfd66517051fa163adc5
Instruction Fuzzy Hash: 53219F72500204AEEB20DF51DD85FB6FBACEF04724F04485AFA889B681D775A98DCB71

Uniqueness

Uniqueness Score: -1.00%

Function 056210C8 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 0562116E

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 16b8287c9a97a3a01ca268f21f527408371082e68346e9a2105c346a1343f171
Instruction ID: 4ced08467e55e1d2cbd9673430d69fe6510a6bd63e316363eb4b8cf0677e4f53
Opcode Fuzzy Hash: 16b8287c9a97a3a01ca268f21f527408371082e68346e9a2105c346a1343f171
Instruction Fuzzy Hash: DB31917150D3C06FD3128B258C55B62BFB8EF87610F0980DBE884DF693D225A949C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05620006 Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0562009E

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b1748f8e32d687bf13d3a3f1295702b99970b287e40610d52cc202377d1b63fb
Instruction ID: 2374581dc014e526035bdfd192bafc0d696d466cadd1ee5ecd431f064eb83dce
Opcode Fuzzy Hash: b1748f8e32d687bf13d3a3f1295702b99970b287e40610d52cc202377d1b63fb
Instruction Fuzzy Hash: 1431B171409380AFE722CF65DC44F56FFF8EF06220F08849AE9858B652D375A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 056223D5 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05622464

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 808551d0388bcf0b6cfb4769652fc22f03e07e54ed846864384c857bbc84a06d
Instruction ID: 6fe0cd5417308165ae8816f9a714ebea0e1c1a56922689099267fff3c3d5b016
Opcode Fuzzy Hash: 808551d0388bcf0b6cfb4769652fc22f03e07e54ed846864384c857bbc84a06d
Instruction Fuzzy Hash: 34217E755087849FDB12CF25DC44B62BFF8FF46214F0884DAE984CB662D234E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0163B9E0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163BA75

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df1e2cb26870875fa63461dd7636486d859dfad131acca8721dd681ab8aaf110
Instruction ID: eef8cc926b0e5339ffa09882188b7aa5acbaf88553caeab714480790d079ba2f
Opcode Fuzzy Hash: df1e2cb26870875fa63461dd7636486d859dfad131acca8721dd681ab8aaf110
Instruction Fuzzy Hash: 3921F8B54097806FE7138B25DC45BA2BFBCEF47724F0880D6ED808B693D264A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05622A5D Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05622AE4

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: bc8fb930ebe30ff66bee2dd7d7b004f109edd6b6156d3ee01c2a7f2da20e77cf
Instruction ID: b6ccf9370463aa8476696f3373a438dc101d24f15a538bbf19c66a833258ac59
Opcode Fuzzy Hash: bc8fb930ebe30ff66bee2dd7d7b004f109edd6b6156d3ee01c2a7f2da20e77cf
Instruction Fuzzy Hash: 3421C4755093806FE712CF25DC45FA6BFB8EF42224F0884DAE944DF692D264A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 0163A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163A4F8

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: c60fbc0a9b513f80c32626d90d2a7fb3aa8946db0ceb3cd3a150f4129860a991
Instruction ID: 56ca89027ac5726b3acc53709a4a550e9d028e0cb625e8d3d495a728d4248113
Opcode Fuzzy Hash: c60fbc0a9b513f80c32626d90d2a7fb3aa8946db0ceb3cd3a150f4129860a991
Instruction Fuzzy Hash: 872192725093806FD7228F55DC44FA7BFB8EF46220F08849AE985CB692D364E848C771

Uniqueness

Uniqueness Score: -1.00%

Function 0562056E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 056205DF

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 0453e32073862aa0b67251faacd18f52d8519071a226f412b7b6b5cff778aae5
Instruction ID: bd0b6407ed5d099143ba6cc0f0bcee63e9387b243d9aabb548d2d1c1b6c5ed20
Opcode Fuzzy Hash: 0453e32073862aa0b67251faacd18f52d8519071a226f412b7b6b5cff778aae5
Instruction Fuzzy Hash: 4621C272500604AFE720DF65DD45FABBBACEF44220F08846AE945DBA41D734E548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0163B90A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0163B989

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e188a228b99b8a2b9643aef3b215386d9675086923c5c292d1ff779490369ddf
Instruction ID: 5f83b9079df5739fe570bef9720d53d3d51a1fd7d2bb4dc9d8d9f037e66937f6
Opcode Fuzzy Hash: e188a228b99b8a2b9643aef3b215386d9675086923c5c292d1ff779490369ddf
Instruction Fuzzy Hash: 3921B071504200AFEB21CF66DD85B66FBE8EF49320F08846EE9458BB92D375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05620462 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 056204F4

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 88612814e4c8958395151dca3dd119a14f4306aecb6516a5859b840c0f1a2433
Instruction ID: 3cf11909b1597b5dee9eb327f70fbdcf3306d42c767c0d5d07e4ae41d2b272b9
Opcode Fuzzy Hash: 88612814e4c8958395151dca3dd119a14f4306aecb6516a5859b840c0f1a2433
Instruction Fuzzy Hash: 6921AF72508740AFD721CF55CC48FA7FBF8EF45220F08849AE9459BA92D364E948CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0163A879

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7cbf38f6d7f6d300c290b2dec4bad6b0839a43325aeeb0c7ae6247ef11c28f06
Instruction ID: c9927ca5336c3268df84a8846b6520e0e4cdd62365b914b3893fa48ae9428b17
Opcode Fuzzy Hash: 7cbf38f6d7f6d300c290b2dec4bad6b0839a43325aeeb0c7ae6247ef11c28f06
Instruction Fuzzy Hash: FE21CF72500204AFE7218F95CD44FABFBECEF44224F04855AE945CBB41D774E54D8AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05622B47 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05622BC3

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 8ed1a4c70b10ed47ee22b4605e7b3d17a449db04549308104eeadc0d6b4499c7
Instruction ID: 7c494f37d4ba798acf21e1bcd993298c9adcce1466293361f8300755a5dbc541
Opcode Fuzzy Hash: 8ed1a4c70b10ed47ee22b4605e7b3d17a449db04549308104eeadc0d6b4499c7
Instruction Fuzzy Hash: 3521D4B15093806FD711CF65CC44FA6FFB8EF46220F0884AAE944DB652D374A948CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05622C2B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05622CA7

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 8ed1a4c70b10ed47ee22b4605e7b3d17a449db04549308104eeadc0d6b4499c7
Instruction ID: 75bf98fe56015e07fc15c24946dfffa175953cecfe5d3324e95645cc5e0e1cd6
Opcode Fuzzy Hash: 8ed1a4c70b10ed47ee22b4605e7b3d17a449db04549308104eeadc0d6b4499c7
Instruction Fuzzy Hash: 4121C2715083846FD712CF65CC45FA6BFA8EF46220F0884AAE944CB652D264A908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0163A6B9

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2e07440e58cc890b33161b2b8a71a24546fb595c885b3a1a168fe8d31e0b8c4f
Instruction ID: 911e3fd15f19f6ebcbf5714d08acfa8ae889ee149437a3e6e2404473c154e83d
Opcode Fuzzy Hash: 2e07440e58cc890b33161b2b8a71a24546fb595c885b3a1a168fe8d31e0b8c4f
Instruction Fuzzy Hash: 7F21D4B56042009FE711CFA5CD85BA6FBE8EF45220F08846AE989CB741D775E409CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0163A140 Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0163A1C1

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 1520fc636a31af3d331d2dceac3e8f2bff063b0b1c95117a30bab4f987ed2e4c
Instruction ID: b60053319826b9386aaa6455f9f6355720e8f0883da5d03af13d1ce7a1790bf6
Opcode Fuzzy Hash: 1520fc636a31af3d331d2dceac3e8f2bff063b0b1c95117a30bab4f987ed2e4c
Instruction Fuzzy Hash: B021AC3140D3C09FD7238B658C54A92BFB4EF47220F0985DBD984CF5A3D229A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0163BCC2 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163BD41

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1746a9971c958cdf09986f86a906f5c0597e03cd69a8bb0c71c52c8bf1816558
Instruction ID: 2f77bc63b7284542835f967ad97940b40458ff6c8401914fa939833c7c01ca03
Opcode Fuzzy Hash: 1746a9971c958cdf09986f86a906f5c0597e03cd69a8bb0c71c52c8bf1816558
Instruction Fuzzy Hash: 85219272409380AFD722CF55DC44F96FFB8EF45324F08849AE9449B652D374A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0562230F Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0562238B

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 3106dcdbe0c0a35df3370b3c5bb43d3281cecaf5581f89130d4f3c1345d050cb
Instruction ID: e115521121610e36e51889c421aeef33b58e68620953884f650d41222a63acec
Opcode Fuzzy Hash: 3106dcdbe0c0a35df3370b3c5bb43d3281cecaf5581f89130d4f3c1345d050cb
Instruction Fuzzy Hash: 9C21D271409384AFD722CF51CC84FA6FFB8EF46224F08849BE9449B692D374A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163A40C

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0c6b08f6cd76d7c4aadf758cc96cbb69aa2bfc707240aec45e69049870e2b050
Instruction ID: 90d2f027c792d999246d60f39c833f1401d3423f1c2c7b57b98c17190b41630b
Opcode Fuzzy Hash: 0c6b08f6cd76d7c4aadf758cc96cbb69aa2bfc707240aec45e69049870e2b050
Instruction Fuzzy Hash: E021A2766002049FE721CF55CC84FA6FBECEF44720F08845AE985CB752D764E849DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05620F26 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05620FA2

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: d9ee33f3ee8a866639fca70b746b1f2311887b7701cc9803cfbf1ee1a488ab78
Instruction ID: d084bcacb4f363ca1010caf673cd7d53e35d2a07763fedc4b3e23de38e21ab12
Opcode Fuzzy Hash: d9ee33f3ee8a866639fca70b746b1f2311887b7701cc9803cfbf1ee1a488ab78
Instruction Fuzzy Hash: 32219F71508784AFDB228F55DC44B62FFF4FF4A220F08849AED858B662D335A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05620032 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0562009E

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: e4f6cf21805347094aa1e89af3b9e1a8d1d5038762228821a14513730f29db55
Instruction ID: 31862eb300d0eff3ec0722b6bdce9cb54f3e6cf4d6e62a4a161ca100d33050b2
Opcode Fuzzy Hash: e4f6cf21805347094aa1e89af3b9e1a8d1d5038762228821a14513730f29db55
Instruction Fuzzy Hash: 38210E71500240AFEB20CF95DD44FAAFBE8EF08320F08885AE9458BB41D375E409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0562071E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05620792

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 69044cb83fe5a85cb513cde91ba30ed9e0a3845c0d7f0c7af0b98f7bd161d01e
Instruction ID: ad62e4b2452830e85766b275fd2a1126867b3b733b2978f8a0f74b7e1cd064d1
Opcode Fuzzy Hash: 69044cb83fe5a85cb513cde91ba30ed9e0a3845c0d7f0c7af0b98f7bd161d01e
Instruction Fuzzy Hash: A121FD72404204AFE721CF95DD89FA6FBE8EF08224F08845AE9458BB41D375E449CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0562138A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05621413

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 728ed28ea1e069c3fa5f124bc7259efec5df3dda0e8878a124c5fd7304da372e
Instruction ID: 88bbdc06d16dc9d657e84bd588b41a15030e0ad08e8182a22d98641f418755fd
Opcode Fuzzy Hash: 728ed28ea1e069c3fa5f124bc7259efec5df3dda0e8878a124c5fd7304da372e
Instruction Fuzzy Hash: 1211D6715083406FE721CF55DC85FA6FFB8EF46720F08809AF9449B692D274A948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0163A902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0163A97D

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: f943227596e88508272018c6078af156900f6696498c7fcef28e0e7b5a2ff247
Instruction ID: d3e06a0c51f7435a431dc96bb8a326fe3006c8168dca274f09473dfce667a245
Opcode Fuzzy Hash: f943227596e88508272018c6078af156900f6696498c7fcef28e0e7b5a2ff247
Instruction Fuzzy Hash: 7521E172500200AFEB218F95DD40FA6FBA8EF44720F08845AEE859BA91D375E509DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05620482 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 056204F4

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 70d054bebff274de6406179764ca7229a0addd8582b8fd8869733ca0d4e51282
Instruction ID: 484709570c1bbec53e68aa15d19c74ba70d7ca8e08242958aa247f246ad81a24
Opcode Fuzzy Hash: 70d054bebff274de6406179764ca7229a0addd8582b8fd8869733ca0d4e51282
Instruction Fuzzy Hash: D211B172504600EFEB20CF55CD88FA6F7ECEF04724F08855AE9459BB51D760E548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163A4F8

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b39eaff6e7d8d949df525adb6a5fc0c11956e0c9f8dd0eab7958e3d5919988c5
Instruction ID: ac224f9b4cf7c568bb6b51df4162058194702f68b645a1c26a0ab7f59c70ebad
Opcode Fuzzy Hash: b39eaff6e7d8d949df525adb6a5fc0c11956e0c9f8dd0eab7958e3d5919988c5
Instruction Fuzzy Hash: 2711BEB2500200AFEB218E55CC45FA6FBECEF44624F08845AED85CBB82D360E448DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05622770 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 056227DA

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 078bd1f154938e9c6b13494134df2f9eb4240ce4287913c9289881407bbd8fba
Instruction ID: 4c476ec2c4b867f1724890417422f8286f140885d962fc94e35327f5020fc8ca
Opcode Fuzzy Hash: 078bd1f154938e9c6b13494134df2f9eb4240ce4287913c9289881407bbd8fba
Instruction Fuzzy Hash: 6D11AF756083809FD761CF25DC85B62BFE8EF45220F0884AAE945CBA52D234E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05620C8A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05620CE9

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 188a405f4674069922d131be9515270719e792c5ec326f76b615ecbdf5f0b732
Instruction ID: 74f6113425725d73015e0b9363084e447559c2be3e71a04e618c304714db9ed9
Opcode Fuzzy Hash: 188a405f4674069922d131be9515270719e792c5ec326f76b615ecbdf5f0b732
Instruction Fuzzy Hash: 24112672500600AFEB20CF51DC44FA6FBE8EF44320F08886AE9058BA45D330E448CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A710 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0163A780

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0ba7dec601b5f408c4960e6998d7a5fd21e3eb564c09fee424c1b548b42f03b2
Instruction ID: cb6061557a2716102e1c411dcd66c6389fe61d0ac52feab69ecc40da402ad4aa
Opcode Fuzzy Hash: 0ba7dec601b5f408c4960e6998d7a5fd21e3eb564c09fee424c1b548b42f03b2
Instruction Fuzzy Hash: 2211D6B59043849FD712CF55DD85752BFB8EF46320F0884ABED858B653D3349905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05622B6A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05622BC3

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 02202e31429c6eaf177611951a5f2c2bdbd5fec07f06909dc3273663ccef5b5d
Instruction ID: 86782e7eb8138395517799d72bd98cfffcec65c7bfa1e82e68c9070c0d846b0e
Opcode Fuzzy Hash: 02202e31429c6eaf177611951a5f2c2bdbd5fec07f06909dc3273663ccef5b5d
Instruction Fuzzy Hash: 4511C4756046049FE710CF55DC85BA6FBA8EF45324F08846AED05CBA41D774E548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05622C4E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05622CA7

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 02202e31429c6eaf177611951a5f2c2bdbd5fec07f06909dc3273663ccef5b5d
Instruction ID: ee75e84dbcf011d8d14f36fc61bfa68f30a6c32ec2332957264e2f7a3549c439
Opcode Fuzzy Hash: 02202e31429c6eaf177611951a5f2c2bdbd5fec07f06909dc3273663ccef5b5d
Instruction Fuzzy Hash: 15110176600600AFEB20CF55DC85FA6FBA8EF44224F08846AED08CBB41D374E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 056203BE Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 0562043A

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 7e6ee9eac72ec79c53464b0527d5d3b9a553ef99f0663de2a6c437f6d7bb090d
Instruction ID: dccb8d765ea0d1ae6a53b4d96e538c15580ecac0394adfa9b263ec000d1da162
Opcode Fuzzy Hash: 7e6ee9eac72ec79c53464b0527d5d3b9a553ef99f0663de2a6c437f6d7bb090d
Instruction Fuzzy Hash: 3011C871909340AFD3118B15CC45F76BFB8EFC6620F09819AEC449B782D625B919C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 05622A8E Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 05622AE4

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 64b57842e3d2af57f242a802ed8e5aa67dd824258ce0d7ba063322cc8b2dd890
Instruction ID: 967c3d6b37a0b0270bbaf4d6d7883b97b4708e34198a8a1033ac47eb9fe3f67d
Opcode Fuzzy Hash: 64b57842e3d2af57f242a802ed8e5aa67dd824258ce0d7ba063322cc8b2dd890
Instruction Fuzzy Hash: 0211E375500200AFEB11CF55DD85BA6B7A8EF44224F18846AED04DBB41D774E548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0163AF93 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0163AFFE

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7375731b13a6e58496ad851caeac935edc99f522f9a28d2db9c7b41d08f50e5b
Instruction ID: 473d670205edfe0929d18f6d950bcca0a0e51b612e3c8fa328542b9209f97b15
Opcode Fuzzy Hash: 7375731b13a6e58496ad851caeac935edc99f522f9a28d2db9c7b41d08f50e5b
Instruction Fuzzy Hash: 36117271409380AFDB228F55DC44B62FFF4EF8A320F08849AED858B662D375A519DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0163BCE2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163BD41

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e5203a4734d92345993677725ee50238af52f529eabdaf54c22adf96bc0986f4
Instruction ID: b8d73440c0aca6df6b6e94237b9650bcc4658fc92ac418038d50cd35147fcc94
Opcode Fuzzy Hash: e5203a4734d92345993677725ee50238af52f529eabdaf54c22adf96bc0986f4
Instruction Fuzzy Hash: C911E372500200EFEB21CF55DC84FA6FBE8EF84324F08845AE9458BA51D374E549CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05622332 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0562238B

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 5bc431191baae3784d78a705108024c0dd1f1c45783fd6ee7c7b75d3fc0de77c
Instruction ID: ca13c19f407438f9441fa71d811552b4c981b932456295e90b65e5cfcfc7f48e
Opcode Fuzzy Hash: 5bc431191baae3784d78a705108024c0dd1f1c45783fd6ee7c7b75d3fc0de77c
Instruction Fuzzy Hash: 0211E076500204AFEB20CF51CC84FAAFBE8EF44724F08846AED049BA41D374E508CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0163ABC1 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0163AC20

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f4855bc7960433b0984cb71516cf75e75a47db29d9a476b59a0da7ab20a8ad58
Instruction ID: 1a16829fdc3aeca2ffa4daea337afadb093f6a48ab49fcac3f9a290ff5c7ad2e
Opcode Fuzzy Hash: f4855bc7960433b0984cb71516cf75e75a47db29d9a476b59a0da7ab20a8ad58
Instruction Fuzzy Hash: 061182715493C0AFDB128F65DC44B52BFB4EF47220F0884DAED848F253D275A548DB61

Uniqueness

Uniqueness Score: -1.00%

Function 056213AA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05621413

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e7b92a512b72c8e644d2438e3572d797695ca8da74aa135e0faca6ceacb35b14
Instruction ID: 7c1b824c8a2ee5fd0037a6b0d46673d54cfb1e8614d20ff79ec79f7b616892ee
Opcode Fuzzy Hash: e7b92a512b72c8e644d2438e3572d797695ca8da74aa135e0faca6ceacb35b14
Instruction Fuzzy Hash: 26112571504200AEE720CF15DC81FB6FBA8EF45724F04805AED084BB81C3B5A44DCEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0163A330

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8a8499be19a199767e83cdf3240d767ff41192edf0f4c2c035cd0b37a38ce847
Instruction ID: cd0c1e284138e7554ae23a0fd9433fef22bcaf0ff6fc95233d28c1e4af19ace1
Opcode Fuzzy Hash: 8a8499be19a199767e83cdf3240d767ff41192edf0f4c2c035cd0b37a38ce847
Instruction Fuzzy Hash: EE1160714093C06FD7138B159C54762BFB4DF47224F0C80DAED848B263D265A908D762

Uniqueness

Uniqueness Score: -1.00%

Function 0562240E Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05622464

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 16025299c9c2222324a11011b8f9d955ef884e9d2eec1d45cc15e02b55a12747
Instruction ID: 951ff5c3dc953083185249fbc0a2c6e9722aa6b8ac1ae5cb5d011b6137e76723
Opcode Fuzzy Hash: 16025299c9c2222324a11011b8f9d955ef884e9d2eec1d45cc15e02b55a12747
Instruction Fuzzy Hash: D7116A796006449FDB20CF55D884BA2FBE8FF18220F0885AADD49CBA52D334E418CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05622792 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 056227DA

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3b410cbeb3d2e69d4fc1d736a13b58655d18f52d0da75ff2c97dd6683c6ee579
Instruction ID: 2efd59b27954a2b44ab8caf9c4b5a66abb629b35f8d598996f9a88d82f4d876e
Opcode Fuzzy Hash: 3b410cbeb3d2e69d4fc1d736a13b58655d18f52d0da75ff2c97dd6683c6ee579
Instruction Fuzzy Hash: 54118E76A046008FDB60CF29D885B66FBE8EF14620F08C46ADD49DBB42D674E448CE61

Uniqueness

Uniqueness Score: -1.00%

Function 0163BA22 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,5EEFD804,00000000,00000000,00000000,00000000), ref: 0163BA75

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 56226f7964db83c12a0b823ea7b5083389e07663e4c5d3a9fa842c2902191d80
Instruction ID: 62fdb835a28832717b9ec6e737637cdff51d70c34013eb8b01ff0f4e3eb5fad5
Opcode Fuzzy Hash: 56226f7964db83c12a0b823ea7b5083389e07663e4c5d3a9fa842c2902191d80
Instruction Fuzzy Hash: E1012271904600AEE720CF06CC84BA6FBA8EF84324F088096ED048BB41D374E8498AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05620F56 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05620FA2

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 603195f39b6ad9abd862604ca06419ffc835406ac125411bd05577b235efb750
Instruction ID: 3f39ffa2d1bc2542cfe94963027a31affc0f0dd6eb0889a183d1ab6eaf92ffcc
Opcode Fuzzy Hash: 603195f39b6ad9abd862604ca06419ffc835406ac125411bd05577b235efb750
Instruction Fuzzy Hash: D3115A71504644DFDB20CF55D848B62FBE4FF08220F0884AAED498BB62D335E558CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0562111E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 0562116E

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 0ebc0c9e7cecc675923417e23acaddc1211773d14e57fb134cad068549a51ed4
Instruction ID: f980a0ad0aae80b2f55eaf84f6c54be135d57bb6286338ce834d82bf47db6f26
Opcode Fuzzy Hash: 0ebc0c9e7cecc675923417e23acaddc1211773d14e57fb134cad068549a51ed4
Instruction Fuzzy Hash: 1501B171A00200ABD310DF16CD45B76FBE8FB88A20F14811AEC089BB41D731B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0163AFBA Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0163AFFE

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ffb4bc56ab4766f81bddb85f2ec7eed36b341467ab4e2a07eeb280e1ef59bdfe
Instruction ID: b5c3f3c64b1ef76f3ebc61b31195fabfcf8c44fd6fc975ce456e75adc33770b0
Opcode Fuzzy Hash: ffb4bc56ab4766f81bddb85f2ec7eed36b341467ab4e2a07eeb280e1ef59bdfe
Instruction Fuzzy Hash: 6A016D72900640DFDB218F95DD44B62FBE4EF88320F08889ADD998B652D376E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 056203EA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 0562043A

Memory Dump Source

Source File: 00000003.00000002.4137806694.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5620000_chargeable.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: a12e38dc7da818bafe018c962d5ce76bfa4797a984fc219cc7c0476ac7e59584
Instruction ID: 9f0dedf4585d7b6152314d619c03c9a5e536586d419706437c4089e1131fd207
Opcode Fuzzy Hash: a12e38dc7da818bafe018c962d5ce76bfa4797a984fc219cc7c0476ac7e59584
Instruction Fuzzy Hash: B801A271900200ABD310DF1ACD46B66FBE8FB88A20F14815AEC089BB41D731F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0163A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0163A780

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 94b604257cd58f1776413b6c95c04d18d3887ab385209fbbad196a8d70cd4827
Instruction ID: d0a1882b15ef0e208a56c4253307335d8a5b03426df211fde7fe4d880ecf4527
Opcode Fuzzy Hash: 94b604257cd58f1776413b6c95c04d18d3887ab385209fbbad196a8d70cd4827
Instruction Fuzzy Hash: B2017C75A002408FEB118F99D985766FBA4EF85220F08C4AADD8ACB756D275E408DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163BEAE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0163BEFE

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cce8f358ee8f34b68e28d44e693bdf6c0f50b6c837be846a5bfedef492933b27
Instruction ID: 8dcecb57216d56e7b5f40a461b8defd6aedcbcc82d253cf5b5db44f0168cfd22
Opcode Fuzzy Hash: cce8f358ee8f34b68e28d44e693bdf6c0f50b6c837be846a5bfedef492933b27
Instruction Fuzzy Hash: F201A271900200ABD310DF1ACD46B66FBE8FB88A20F14811AEC089BB41D771F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0163A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0163A1C1

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 3b1e050d2043c8734ee721031ff3bef466cedd1f4d01fa7481a88852f33afa2b
Instruction ID: 11ec4efeb10cb05d54323d762c8d91f9ca698df4d86b83839a0dbd49d129ec76
Opcode Fuzzy Hash: 3b1e050d2043c8734ee721031ff3bef466cedd1f4d01fa7481a88852f33afa2b
Instruction Fuzzy Hash: 4C018C72904240DFDB208F99D844B62FBE4EF84221F0885AADD898B612D375A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0163ABEE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0163AC20

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9b23e5d4787e3eed2098175f1a04536759c21699eb9e0ebebcde7287a635345d
Instruction ID: 5bd9f99d1e90623cec9af684b40f659aa66b08e42e946c95b5650c4bd70600ae
Opcode Fuzzy Hash: 9b23e5d4787e3eed2098175f1a04536759c21699eb9e0ebebcde7287a635345d
Instruction Fuzzy Hash: E501A271904244CFDB10CF55DC84765FBE4EF85220F08C4AADD888F746D379E448CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0163A330

Memory Dump Source

Source File: 00000003.00000002.4133604932.000000000163A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_163a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 48a9437b68f29b17424a3738837d4be2609467e17717d96be3ad67d1fda4e949
Instruction ID: f4866b68887173fb0ae238733f3e13b78dab63ddf1f6ccbc4791c1c0b26d6fd6
Opcode Fuzzy Hash: 48a9437b68f29b17424a3738837d4be2609467e17717d96be3ad67d1fda4e949
Instruction Fuzzy Hash: 78F0AF75904244CFEB108F49DC89761FBE4EF85324F08C09ADD898B752D3B5E408DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05AD161D Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4138203339.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ad0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54e810005ac737528a713329a51f80bef5a768ddaff3f1e2fe4522ffc4dc023
Instruction ID: 1797df2d32b58f2ee350b6e24e59da0529f939696ddb5b1de0825d08a054819b
Opcode Fuzzy Hash: a54e810005ac737528a713329a51f80bef5a768ddaff3f1e2fe4522ffc4dc023
Instruction Fuzzy Hash: 37415175508340AFC341CF19D840A5AFFE4EF89660F08895EF9999B311D235A904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 011807AC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132268069.0000000001180000.00000040.00000020.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1180000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f546549df93ae10de3454d0910b7456345de7cf975293c5cc0b94e5fa70edda
Instruction ID: fc10aab54fb8c4b5f679a0c53867d60d0528672086fa947cd5813e5c16a2f05e
Opcode Fuzzy Hash: 2f546549df93ae10de3454d0910b7456345de7cf975293c5cc0b94e5fa70edda
Instruction Fuzzy Hash: 38310A3550E7C58FC7179B24D860711BFB1AF4B608F2985EFD4858B5A3C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05AD1E30 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4138203339.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ad0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbd9f8e3aa5abd375fa58883dc5a54b919fa905b579ac78a0bd06995cab0675
Instruction ID: 6ee86f829866a0ff489233774e61399c6ef37b1bc35a503be1624ad3959d5d14
Opcode Fuzzy Hash: 9fbd9f8e3aa5abd375fa58883dc5a54b919fa905b579ac78a0bd06995cab0675
Instruction Fuzzy Hash: 2E11BAB5908341AFD350CF19D840A5BFBE4FBD8664F04896EF998D7311D231EA088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 01180814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132268069.0000000001180000.00000040.00000020.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1180000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcce62aa2bf63ff33a10d6d327a274599fc6fae1e03020969034a7aa6eef68cc
Instruction ID: d8b94024939664fbc2344d6b38e5a35ebdd697b45df729b7901f4c9cf5a38a01
Opcode Fuzzy Hash: bcce62aa2bf63ff33a10d6d327a274599fc6fae1e03020969034a7aa6eef68cc
Instruction Fuzzy Hash: E611D530A14248DFD719DB14D540B25B795AB8E708F24C9ACF84917643C737D89BCE81

Uniqueness

Uniqueness Score: -1.00%

Function 011807E4 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132268069.0000000001180000.00000040.00000020.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1180000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb7cab1c7e3cbbe26ae03bea5187c3158787f95de646bfe82c7e599e2ec9e90
Instruction ID: 9b36a8e3e24025efff68f11574b16650d98c87b4aa4b2feb87afba0717dd15f0
Opcode Fuzzy Hash: fbb7cab1c7e3cbbe26ae03bea5187c3158787f95de646bfe82c7e599e2ec9e90
Instruction Fuzzy Hash: 37216D315493C4CFD7078B24C990B65BFB1AF4B314F2985EED4848B6A3C33A884ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 05AD1CD4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4138203339.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ad0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fbf5a9ddc59e9e639758dfe4079f7a6284ea22d4c660153b60c100f4029759
Instruction ID: aabe230fbfb24daae96ef42c06c185854ef8c348687f0ed3f76fd9ffcbd3dffa
Opcode Fuzzy Hash: b2fbf5a9ddc59e9e639758dfe4079f7a6284ea22d4c660153b60c100f4029759
Instruction Fuzzy Hash: 3D11FAB5908301AFD750CF09DC80E57FBE8EBC8660F04882EF95997311E231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0164AFBC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133745432.000000000164A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_164a000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7907fe86255f07e4a8e740ad0122f31819823d42645f10a9bf802957bc7bac0c
Instruction ID: 816e94e7702aff492bc2b59fbf8222bde744e071e5b635c5fa8c424998c3ba02
Opcode Fuzzy Hash: 7907fe86255f07e4a8e740ad0122f31819823d42645f10a9bf802957bc7bac0c
Instruction Fuzzy Hash: EF11FAB5908301AFD350CF09DC40E57FBE8EBD8660F04892EF95997311D231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 011805DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132268069.0000000001180000.00000040.00000020.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1180000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ab05aea3b32ca7a781ec8fa66e6b371f613294944520a277623c7873c8caa7
Instruction ID: c4d762628fa72a6501d232e94d249eebc2563b32798aa01daae5a7f165ac2148
Opcode Fuzzy Hash: 98ab05aea3b32ca7a781ec8fa66e6b371f613294944520a277623c7873c8caa7
Instruction Fuzzy Hash: 9001DBB554D3C06FD7128F159C54862FFB8DF8613070C84DFEC898B652D125A809C771

Uniqueness

Uniqueness Score: -1.00%

Function 011808D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132268069.0000000001180000.00000040.00000020.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1180000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction ID: 0adec27de3da7da422f4c2b4f8ae2cf051b6398968a7fa059f9285aea6959e64
Opcode Fuzzy Hash: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction Fuzzy Hash: 18F04B35504644DFC706CB04D580B25FBA2EB89718F24CAA9E84817A52C737A852DE81

Uniqueness

Uniqueness Score: -1.00%

Function 01180606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4132268069.0000000001180000.00000040.00000020.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1180000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad537e4ccf34390b6f09dc6641bbfc9ab693fb0f15e5817a2cb0272a26592a6
Instruction ID: 6fae04dd25bbce4601d11bfaa554a7a018b4f2cfeb477a9cbb1b90f09b117812
Opcode Fuzzy Hash: 0ad537e4ccf34390b6f09dc6641bbfc9ab693fb0f15e5817a2cb0272a26592a6
Instruction Fuzzy Hash: 52E092B6A006449B9750CF0AEC45452F7D8EB84630718C47FDC0D8B701E235B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 05AD1E9B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4138203339.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ad0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1933c097f2cd2f2ce6d2c4310227a7da01cff72727cb4a151db8ca782f12455f
Instruction ID: cc68aeaefd5997118a0b8887e3c68d54af21f38e8636d597985ab74c68483513
Opcode Fuzzy Hash: 1933c097f2cd2f2ce6d2c4310227a7da01cff72727cb4a151db8ca782f12455f
Instruction Fuzzy Hash: 7FE0D8F294020467D7108E069C45F52FB98DB94930F08C467ED085B741E171B51889E1

Uniqueness

Uniqueness Score: -1.00%

Function 05AD1D23 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4138203339.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ad0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7d278d8b27233a040d2a62f759faf149acaba5878a3aa7c75765d717515d94
Instruction ID: f51d17864927a4801a0f2eeb60cb80cc8fc10bc531d9b7ac6a1d876dc3ae2d8e
Opcode Fuzzy Hash: 9e7d278d8b27233a040d2a62f759faf149acaba5878a3aa7c75765d717515d94
Instruction Fuzzy Hash: 2EE0D8B294030467D6509E069C45F63FB98DB90930F08C467ED091B702E172B5048DF1

Uniqueness

Uniqueness Score: -1.00%

Function 05AD1747 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4138203339.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ad0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf9aef330410b28589994207de4f550723711398bae1f31418eafed3136d52
Instruction ID: 438cbe27d7d7fa8cbfc10e40d87cb9875c08033ef7276217a477b9bba28058c7
Opcode Fuzzy Hash: b2bf9aef330410b28589994207de4f550723711398bae1f31418eafed3136d52
Instruction Fuzzy Hash: 6EE0D8B294020467D2109E069C45F53FB98DB90930F08C467ED091B701E172B614CDE1

Uniqueness

Uniqueness Score: -1.00%

Function 0164B00B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133745432.000000000164A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_164a000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a594f85cec7cbc1b9c2937de1199a7cfd1348c9e504876a03e2c4bccf80ab5b1
Instruction ID: abdd497d5e3e48a70d9f92d7e491771ee5b61cb111c22f481797dec82eb214ad
Opcode Fuzzy Hash: a594f85cec7cbc1b9c2937de1199a7cfd1348c9e504876a03e2c4bccf80ab5b1
Instruction Fuzzy Hash: 7AE0D8F294020467D2108F06AC45F52FB98DB90930F08C567ED091B701E171B90489F5

Uniqueness

Uniqueness Score: -1.00%

Function 016323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133573554.0000000001632000.00000040.00000800.00020000.00000000.sdmp, Offset: 01632000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1632000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb69854ee64d2a41a6ae102e22cfde5732218c7aa3cdd1406ca7778345aeb14
Instruction ID: 7e7c2078c1dc00699901a412c20c04a2c06150f3bcf2a8cb859643dd65aa398a
Opcode Fuzzy Hash: ceb69854ee64d2a41a6ae102e22cfde5732218c7aa3cdd1406ca7778345aeb14
Instruction Fuzzy Hash: ACD05E79206AC14FE3169A1CC5A4B953BE4ABA1714F4A44FDA8008B763C768E5D1D600

Uniqueness

Uniqueness Score: -1.00%

Function 016323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133573554.0000000001632000.00000040.00000800.00020000.00000000.sdmp, Offset: 01632000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1632000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f84b6fd08a135bc42b7b729ca2505ba3a1c1ef7a5acd5beb1f1b1ec63bd259
Instruction ID: 0f7e25ead8c08de56375925caa7f41a73619a43fbcaf2dd03898e359cd667853
Opcode Fuzzy Hash: 95f84b6fd08a135bc42b7b729ca2505ba3a1c1ef7a5acd5beb1f1b1ec63bd259
Instruction Fuzzy Hash: 3DD05E352406814BE715DA0CCAE4F597BD4AF90B14F0644ECAC108B762C7A4E8C0CA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054D22D8 Relevance: 12.6, Strings: 9, Instructions: 1370COMMON

Download Yara Rule

Strings

, xrefs: 054D2FB9
:@k, xrefs: 054D2DF5
:@k, xrefs: 054D29AC
:@k, xrefs: 054D2828
:@k, xrefs: 054D28CE
:@k, xrefs: 054D3882
, xrefs: 054D2FAF
:@k, xrefs: 054D2D62
:@k, xrefs: 054D2C4F

Memory Dump Source

Source File: 00000003.00000002.4137587177.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_54d0000_chargeable.jbxd

Similarity

API ID:
String ID: $ $:@k$:@k$:@k$:@k$:@k$:@k$:@k
API String ID: 0-1999185200
Opcode ID: 9280b69ad097421757f53af415dc3dd53289972d76fcdd4b6ca4b278e1c96656
Instruction ID: eb53595c99847c174531daf9256b054feb9517cb0da07b658024e4e8825bee00
Opcode Fuzzy Hash: 9280b69ad097421757f53af415dc3dd53289972d76fcdd4b6ca4b278e1c96656
Instruction Fuzzy Hash: AAB27E34B002148FDB18DB68D869BAEB7B3BF88308F1180A9D5059B791DF75DD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chargeable.exePID: 6740, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	22.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	112
Total number of Limit Nodes:	11

Executed Functions

Function 014500E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1858151185.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a788d362cf0df4cd9ac1f6017a076d8caac1a17d9374aaaa635df2f45e9ebe63
Instruction ID: d296aa651af8d4705eb283ae5c008bee6f14ffd6be4f61552aba0e4fe92f7185
Opcode Fuzzy Hash: a788d362cf0df4cd9ac1f6017a076d8caac1a17d9374aaaa635df2f45e9ebe63
Instruction Fuzzy Hash: 85142834601714DFDB65DB30C854B9AB3B2EF89304F6188A8D55AAB360DF35AE86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014598A0 Relevance: 5.5, Instructions: 5464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858151185.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95574a5c8190b83975306cc4ad6c5d169601fea8fff8d0892f098ae82a10ac65
Instruction ID: 1f6a681d8ab8f3c771738666b0925ccaf72db8be1399bb0a7143b6f564932e29
Opcode Fuzzy Hash: 95574a5c8190b83975306cc4ad6c5d169601fea8fff8d0892f098ae82a10ac65
Instruction Fuzzy Hash: 36B360B57004108F8B49EF02D4E1A7E3776A741A487284399CD512FBDADB39AD17CBCA

Uniqueness

Uniqueness Score: -1.00%

Function 011EAC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 011EACD1

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3dbb0512ce46274e30d4219545b9a861106bd0ba1053aad4d4565d294c240420
Instruction ID: c62b4232002d59cb9087abefdfb2740933ca5f00da4471c63728f4175c80daae
Opcode Fuzzy Hash: 3dbb0512ce46274e30d4219545b9a861106bd0ba1053aad4d4565d294c240420
Instruction Fuzzy Hash: 8D3193714083846FE7228B55DC45FA7BFFCEF05210F08449AE9858B552D365E94DCBB1

Uniqueness

Uniqueness Score: -1.00%

Function 011EAD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,13A6DA2D,00000000,00000000,00000000,00000000), ref: 011EADD4

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6b17c416f7913b813d4ac2e06b5a0863249be64ab49a37dc08326f05de2c5484
Instruction ID: 47cd3f24a1b6697a5f4fb67580539bf0871ed9ba49968cb4f9808d9a369d2ce2
Opcode Fuzzy Hash: 6b17c416f7913b813d4ac2e06b5a0863249be64ab49a37dc08326f05de2c5484
Instruction Fuzzy Hash: 1331B1725087805FE722CF65DC84FA2BFF8EF06310F08849AE9458B693D360E548CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011EA2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 011EA346

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d323ba52fa78e08deb9757f3ab2c424dd22f9b2409c042c093883dfbdf98924c
Instruction ID: b2e46bec8e08ceb818ff31a1ad308c7ace5a5de0f5a755c2e6ac771847c2d94d
Opcode Fuzzy Hash: d323ba52fa78e08deb9757f3ab2c424dd22f9b2409c042c093883dfbdf98924c
Instruction Fuzzy Hash: D221F67140D3C06FD3138B259C51B62BFB8EF87620F0A41CBE884DB693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 011EAC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 011EACD1

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6e49576eadd278eb1c5f640cceceecb637c8e76b7121b385fc121b7f9e1306e1
Instruction ID: dcfdd031dd81690d01e0ff66633cb51121ca41c2b4a7214a16e642e1250b5551
Opcode Fuzzy Hash: 6e49576eadd278eb1c5f640cceceecb637c8e76b7121b385fc121b7f9e1306e1
Instruction Fuzzy Hash: 3021D172504604AFE7219F95DD84FABFBECEF14314F08845AEA458BA42D324E94C8AB1

Uniqueness

Uniqueness Score: -1.00%

Function 011EAD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,13A6DA2D,00000000,00000000,00000000,00000000), ref: 011EADD4

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9693f8e258bd8afcfadf57df94acf28d10c4a5474ca335725adbac135b9f015f
Instruction ID: 5493bff3773e4b32fee32ee70c8b32a717e7536f3f9bd4c0fa12515433fd44d2
Opcode Fuzzy Hash: 9693f8e258bd8afcfadf57df94acf28d10c4a5474ca335725adbac135b9f015f
Instruction Fuzzy Hash: A7219075604604AFE721CF55DC84FA6FBECEF04710F08845AE9458B692D761E548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 011EBAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 011EBB2C

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5123a4c5d7ffa79668cffdf596fc12ceaa01df0469dfab8bd3bf77780c2a0f51
Instruction ID: dd5af229c8bdc1cc26bfea004d04ec6d2f4d9aa0b80f40c49d2ce2bd8176829c
Opcode Fuzzy Hash: 5123a4c5d7ffa79668cffdf596fc12ceaa01df0469dfab8bd3bf77780c2a0f51
Instruction Fuzzy Hash: D2215E7150D3C05FDB128B29DC94792BFB4EF47214F0D84DAE9848F557D2649908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011EB42D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 011EB4A9

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 19a04220369652a0086cc285000514463d4a37d5afa383e4fb3771a4f99b2cf3
Instruction ID: 260284a495f7035e1555101be5f4a6ad356fa00321dc2d568eead805fcde8b08
Opcode Fuzzy Hash: 19a04220369652a0086cc285000514463d4a37d5afa383e4fb3771a4f99b2cf3
Instruction Fuzzy Hash: DD2190B15097805FDB228E19DC45B62BFF8EF46614F08808AED858B293D365E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011EBC4B Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 011EBCBF

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 41bf5eb1f57dcdb2c1781dec5022ca0065559fc086f868a444392518bf61f8df
Instruction ID: c43c4fa2df741f50b680d89dc1c1f62228006a209676df281b439683b37eeaa7
Opcode Fuzzy Hash: 41bf5eb1f57dcdb2c1781dec5022ca0065559fc086f868a444392518bf61f8df
Instruction Fuzzy Hash: 9C21A2B15093809FEB12CF65DC45B52BFF4EF46210F0984DAED848F263D274A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011EA5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011EA666

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4df1c3824ff9f278a603161290c40af6940e4e4a1e3be7b880f554c2eafe8e95
Instruction ID: 8997c16697a7264f69e8664bd31dc281383994bd2440bd948b90363e8b3a9491
Opcode Fuzzy Hash: 4df1c3824ff9f278a603161290c40af6940e4e4a1e3be7b880f554c2eafe8e95
Instruction Fuzzy Hash: 9E118171409780AFDB228F55DC44B62FFF4EF8A310F0888DAED858B563D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 011EBD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 011EBD75

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 384544722a2bc3f3e10b13e67088d2b9aaf9357cf338dbb27457250c7d9160cd
Instruction ID: 82434da3a1a20394eefd3ca3e939297ff113afcaef2d3d808effaabee4842e69
Opcode Fuzzy Hash: 384544722a2bc3f3e10b13e67088d2b9aaf9357cf338dbb27457250c7d9160cd
Instruction Fuzzy Hash: CE1198B1508740AFDB228F19DC45F66FFF8EF45614F08809EED458B663D261E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011EA42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 011EA480

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 289249486efaea38921070b3e87d630134c915de20c50faad3339d6351bf607d
Instruction ID: 119f8f0296a0e5740240880ff95d2b71f87fb881f9f5fbb025fb989234c50316
Opcode Fuzzy Hash: 289249486efaea38921070b3e87d630134c915de20c50faad3339d6351bf607d
Instruction Fuzzy Hash: E60184B5408384AFDB12CB15DC48B62FFF8EF46620F0880DAED854B253D275A908DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 011EBD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 011EBD75

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 25e85c667c78357007446500180bd38fd6d4075116296145d1ae0baee82205b2
Instruction ID: d77bb573467e306c08ace68160196db6d6ea3f188fc9f2069ad3d3b66f506480
Opcode Fuzzy Hash: 25e85c667c78357007446500180bd38fd6d4075116296145d1ae0baee82205b2
Instruction Fuzzy Hash: 68019271504600CFDB658F5ADC49B5AFBE4FF14624F08805ADD458B762D371E458CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 011EB45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 011EB4A9

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 3d25464eb6cf0e80ba1bf12ef273d6b229e10532536e38ecdbcce27fa52219fa
Instruction ID: 9398c1c6a172ba29f827fb307cda201497e19c3843c813fc8497cb02fdada03c
Opcode Fuzzy Hash: 3d25464eb6cf0e80ba1bf12ef273d6b229e10532536e38ecdbcce27fa52219fa
Instruction Fuzzy Hash: 3F01B5715046008FEB24CF59DC89B62FBE8EF14620F08C099ED4A8B752D374E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 011EA622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011EA666

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6f66f214fb9d703067a2a5a59c2a5de2e3d316cda4cc66d7a9e2da7848242548
Instruction ID: 410f59794e904c7e459dc6881a04503480a80bd9d7660bbe784079413b4c24b3
Opcode Fuzzy Hash: 6f66f214fb9d703067a2a5a59c2a5de2e3d316cda4cc66d7a9e2da7848242548
Instruction Fuzzy Hash: 29016D72904600DFDB218F95D944B66FBE4EF49320F08C89ADD494B652D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 011EBC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 011EBCBF

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 0597e28335f46eb52f2f430a8e0b1788deaac7561d4ca8ff1b14865fc403b2e8
Instruction ID: 6fa142bb1fea0588310b7a57b6f378d8292ebb8e07e24ad4c15c946e43d161e7
Opcode Fuzzy Hash: 0597e28335f46eb52f2f430a8e0b1788deaac7561d4ca8ff1b14865fc403b2e8
Instruction Fuzzy Hash: 0F01D471908600CFEB10CF9AD889766FBE4EF04220F08C4AADD498B342D775E414CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011EA2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 011EA346

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 60dabfaabe173b796cb5f9708e6cb15476829bc90a55eb51da1884a86ba9026c
Instruction ID: ad00fe9b220bc1eb121f545398d90b5e15123f7a44cf0974046cbe75810056d4
Opcode Fuzzy Hash: 60dabfaabe173b796cb5f9708e6cb15476829bc90a55eb51da1884a86ba9026c
Instruction Fuzzy Hash: D301A271500200ABD310DF1ACD46B66FBE8FB88A20F14815AEC089BB41D731F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 011EBAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 011EBB2C

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e6e5369e9fc90340d29c8c3fdbf854381c55a03b3dd9723f3b08f8143ebef7ec
Instruction ID: 984a8838c352667f001c871fd43a055fa1a2d6d8cbdbef3f94004e173f5c0a0f
Opcode Fuzzy Hash: e6e5369e9fc90340d29c8c3fdbf854381c55a03b3dd9723f3b08f8143ebef7ec
Instruction Fuzzy Hash: 660184719086408FDB60CF99D889762FBD8EF54620F08C4AADD498F75AD374E404CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 011EA44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 011EA480

Memory Dump Source

Source File: 00000004.00000002.1857720736.00000000011EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11ea000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 77727662f0621efe675824494a2b05fab97e3ec5dad0a7c736a3c66ebcf87550
Instruction ID: 62daa63ccd8264a30f71513e4794fcea6acdd90c6eb61ce485502da0063a6489
Opcode Fuzzy Hash: 77727662f0621efe675824494a2b05fab97e3ec5dad0a7c736a3c66ebcf87550
Instruction Fuzzy Hash: 4EF0AF75904640CFDB10CF4AE889761FBE4EF55220F0CC0AADD494B752E379E448CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0145CB00 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858151185.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f643c12e3fe541076c7bd917aa1896aa9075736db739218f78d12245b027bb17
Instruction ID: b1ab86702d690803988b6aee24dc8f4ffedc9a96e91c812da391abe68ca12b5e
Opcode Fuzzy Hash: f643c12e3fe541076c7bd917aa1896aa9075736db739218f78d12245b027bb17
Instruction Fuzzy Hash: D331EB30B00305CBDF659B7994987BE7AFBAB8C250F14402AD801E7756CF748C029B95

Uniqueness

Uniqueness Score: -1.00%

Function 0145C7E1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858151185.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932fcfab584c6442ea9d4f92c0d8e631bde51870c8b320621348f1385b4cbde5
Instruction ID: f0aeca72cded97f98732c9c2743d091e95b64f17984e36ab89ee2c0e046275a2
Opcode Fuzzy Hash: 932fcfab584c6442ea9d4f92c0d8e631bde51870c8b320621348f1385b4cbde5
Instruction Fuzzy Hash: 9D318134A003128FCB55DB69D9C097FBBB9FF48355B10412AD80197356DB34DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01450006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858151185.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfaa84bdd0c4ec41eaa8f57936175d15dbbcba2190c4cc93b29a904f7a13d3f
Instruction ID: f481d0b95f46fa04e4c6d72ecc2f041c38f250aa891f98489affc98b9c35e29a
Opcode Fuzzy Hash: adfaa84bdd0c4ec41eaa8f57936175d15dbbcba2190c4cc93b29a904f7a13d3f
Instruction Fuzzy Hash: CA11BC2114E3C45FD75767744D355A93F719E03014B0E81EBE5C4CE5A3CA1E894AD3A6

Uniqueness

Uniqueness Score: -1.00%

Function 0126076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858060374.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da44d1ea8783a7b5c3f1708db7c51a4e373fb324593c95420b6f6cb12d4d7375
Instruction ID: cc487af05a7e8099eebf8ba1f61a90fe6cc69282a64a483f14e62f2140109ccb
Opcode Fuzzy Hash: da44d1ea8783a7b5c3f1708db7c51a4e373fb324593c95420b6f6cb12d4d7375
Instruction Fuzzy Hash: 6F11E730214281DFD716CB54D980B25BB99EB89708F24C59CF5491BBC2C77BD843DA85

Uniqueness

Uniqueness Score: -1.00%

Function 012605E7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858060374.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27838829aa45b2c774fda8a7bf618afa868a4cc489eeaff47785d04264a9d3af
Instruction ID: 0042f6a6c3910fa4ae6b5096d6713e715b60336311f8d038af9b54ad90f46c03
Opcode Fuzzy Hash: 27838829aa45b2c774fda8a7bf618afa868a4cc489eeaff47785d04264a9d3af
Instruction Fuzzy Hash: 8BF044B65097806FD7118B16AC44863FFB8EF96620709C49FEC498B652D225A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0126075F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858060374.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f20e732d939d3e5471710a6f2e44bd9713c0dbf81eb22dd960a9e277deb68b8
Instruction ID: 73db210b55e842a9008e9da5c13bcfe8d54b5d87e05520a608137741b88a9d8b
Opcode Fuzzy Hash: 0f20e732d939d3e5471710a6f2e44bd9713c0dbf81eb22dd960a9e277deb68b8
Instruction Fuzzy Hash: 53117C341082818FC707CB10C990B15BBB1EB8A308F28C6EEE5494B6A3C73A9842DB41

Uniqueness

Uniqueness Score: -1.00%

Function 01260648 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858060374.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8950793e56bb1cfe8986b0a0f608769c039ba685f1c7fc25a5d81598f8ffba7c
Instruction ID: 0583f03fc298083aac54c73fc10c80febcaec59948b6c9e126508850c0e41c18
Opcode Fuzzy Hash: 8950793e56bb1cfe8986b0a0f608769c039ba685f1c7fc25a5d81598f8ffba7c
Instruction Fuzzy Hash: 3FF0B4B6504600AB9710CE0AEC418A3F7ECEB88630B08C42EEC4997B01D235F805CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01260828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858060374.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction ID: c2f4f598a0b43bb154b0b5198191db1d7cca5646a21ed71fea6a94dc8ed20fd4
Opcode Fuzzy Hash: f5405e8c2313153df6eab1cfdcb54e4ecace335342848f3dcb2b97980fc5d3c2
Instruction Fuzzy Hash: 51F06D35104645DFC306CB04D980B25FBA6EB88718F24CAADE94907752C737E813DE85

Uniqueness

Uniqueness Score: -1.00%

Function 01260606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858060374.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f305f8ef9e2571da0626d5926be7b3245c1723fe65edb0839d352ab4e707de83
Instruction ID: 36fc50bde59b1f51d36d635cb3b53e53ebff94db2a676ef4361d5763302ba3d6
Opcode Fuzzy Hash: f305f8ef9e2571da0626d5926be7b3245c1723fe65edb0839d352ab4e707de83
Instruction Fuzzy Hash: C0E092B66046005B9750CF0BEC41492F7D8EB88630708C47FDC0D8B701D235B508CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 011E23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1857698007.00000000011E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e2000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fae927db6c91f21cc8775c54f6192e282e05338d41768b56ba2732e0fb5c23d
Instruction ID: bfbbdc39ad6b5cbd7ab75492d3d20d1a978ed745f10449a9386a039fe98f3897
Opcode Fuzzy Hash: 5fae927db6c91f21cc8775c54f6192e282e05338d41768b56ba2732e0fb5c23d
Instruction Fuzzy Hash: BED05E79305AC14FE31A9B1CC1A8B953BE8AB61714F5A44F9A8008B763C768E5C1D600

Uniqueness

Uniqueness Score: -1.00%

Function 011E23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1857698007.00000000011E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e2000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31030a5c8cc492f37301f3260aa93888ac4b11df3b08e931d063ac821b70ed26
Instruction ID: 28ea2e9987000db297f0a72c72615c3d555d445ef0251b92f36d12f4ba3e11db
Opcode Fuzzy Hash: 31030a5c8cc492f37301f3260aa93888ac4b11df3b08e931d063ac821b70ed26
Instruction Fuzzy Hash: E0D05E34204A814BD719DA0CC6E8F593BD8AB54B14F1A44E8BC108B762C7B4E8C0CE00

Uniqueness

Uniqueness Score: -1.00%

Function 0145C7C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1858151185.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5963a2941c6d21897128ccc0eddcd082fd4c5ee33d8f52f6fa65b7bd784995
Instruction ID: a5aff81d98123061d7750990530c9292265847b20d80c29e24910d70e19aecba
Opcode Fuzzy Hash: 5f5963a2941c6d21897128ccc0eddcd082fd4c5ee33d8f52f6fa65b7bd784995
Instruction Fuzzy Hash: 41B0122D8092C05FCF260330BC5419A3F30AE4330230514F5E4E0C10DAC0140C8ED322

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SjMIbKjuDL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SjMIbKjuDL.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

C:\Users\user\AppData\Roaming\confuse\chargeable.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
SjMIbKjuDL.exe

Function 00D500D0 Relevance: 9.1, Instructions: 9145
COMMON

Function 00D500E0 Relevance: 9.1, Instructions: 9140
COMMON

Function 00D598A0 Relevance: 2.7, Instructions: 2696
COMMON

Function 0069AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Function 049B0B60 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 0069AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Function 049B0F83 Relevance: 1.6, APIs: 1, Instructions: 81
registryCOMMON

Function 0069A2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON