Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YKTNuK117e.exe

Overview

General Information

Sample name:YKTNuK117e.exe
renamed because original name is a hash value
Original sample name:200a92ad17110cb3dacc7387b12186c6.exe
Analysis ID:1429083
MD5:200a92ad17110cb3dacc7387b12186c6
SHA1:6bee61858fbf3152f748b3dcdffe0509a8d30a57
SHA256:4685803ad19d283ca259f4af5fff5f0c397c0fe0c3032b663d0b99d510c4fcb6
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Disables zone checking for all users
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Protects its processes via BreakOnTermination flag
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YKTNuK117e.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\YKTNuK117e.exe" MD5: 200A92AD17110CB3DACC7387B12186C6)
    • WindowsServices.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" MD5: 200A92AD17110CB3DACC7387B12186C6)
      • netsh.exe (PID: 7484 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • WindowsServices.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: 200A92AD17110CB3DACC7387B12186C6)
  • WindowsServices.exe (PID: 8004 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: 200A92AD17110CB3DACC7387B12186C6)
  • WindowsServices.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: 200A92AD17110CB3DACC7387B12186C6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "83.196.78.85", "Port": "8080", "Version": "0.7d", "Campaign ID": "ok", "Registry": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Startup": "19447a578b6a3b2cdbc5a3dc3e7f5251"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
YKTNuK117e.exeJoeSecurity_NjratYara detected NjratJoe Security
    YKTNuK117e.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x5767:$a1: get_Registry
    • 0x6b20:$a2: SEE_MASK_NOZONECHECKS
    • 0x6930:$a3: Download ERROR
    • 0x6c58:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x6bf8:$a5: netsh firewall delete allowedprogram "
    YKTNuK117e.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x6c58:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x682a:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x6952:$s3: Executed As
    • 0x5fb3:$s5: Stub.exe
    • 0x6930:$s6: Download ERROR
    • 0x67ec:$s8: Select * From AntiVirusProduct
    YKTNuK117e.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x6b50:$a1: netsh firewall add allowedprogram
    • 0x6b20:$a2: SEE_MASK_NOZONECHECKS
    • 0x6ce0:$b1: [TAP]
    • 0x6c58:$c3: cmd.exe /c ping
    YKTNuK117e.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x6b20:$reg: SEE_MASK_NOZONECHECKS
    • 0x690c:$msg: Execute ERROR
    • 0x696c:$msg: Execute ERROR
    • 0x6c58:$ping: cmd.exe /c ping 0 -n 2 & del
    Click to see the 1 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\WindowsServices.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x5767:$a1: get_Registry
      • 0x6b20:$a2: SEE_MASK_NOZONECHECKS
      • 0x6930:$a3: Download ERROR
      • 0x6c58:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x6bf8:$a5: netsh firewall delete allowedprogram "
      C:\Users\user\AppData\Local\Temp\WindowsServices.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x6c58:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x682a:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x6952:$s3: Executed As
      • 0x5fb3:$s5: Stub.exe
      • 0x6930:$s6: Download ERROR
      • 0x67ec:$s8: Select * From AntiVirusProduct
      C:\Users\user\AppData\Local\Temp\WindowsServices.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x6b50:$a1: netsh firewall add allowedprogram
      • 0x6b20:$a2: SEE_MASK_NOZONECHECKS
      • 0x6ce0:$b1: [TAP]
      • 0x6c58:$c3: cmd.exe /c ping
      C:\Users\user\AppData\Local\Temp\WindowsServices.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x6b20:$reg: SEE_MASK_NOZONECHECKS
      • 0x690c:$msg: Execute ERROR
      • 0x696c:$msg: Execute ERROR
      • 0x6c58:$ping: cmd.exe /c ping 0 -n 2 & del
      Click to see the 7 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x5567:$a1: get_Registry
        • 0x6920:$a2: SEE_MASK_NOZONECHECKS
        • 0x6730:$a3: Download ERROR
        • 0x6a58:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x69f8:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x6950:$a1: netsh firewall add allowedprogram
        • 0x6920:$a2: SEE_MASK_NOZONECHECKS
        • 0x6ae0:$b1: [TAP]
        • 0x6a58:$c3: cmd.exe /c ping
        00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x6920:$reg: SEE_MASK_NOZONECHECKS
        • 0x670c:$msg: Execute ERROR
        • 0x676c:$msg: Execute ERROR
        • 0x6a58:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.YKTNuK117e.exe.2c844e8.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.2.YKTNuK117e.exe.2c844e8.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x3967:$a1: get_Registry
            • 0x4d20:$a2: SEE_MASK_NOZONECHECKS
            • 0x4b30:$a3: Download ERROR
            • 0x4e58:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x4df8:$a5: netsh firewall delete allowedprogram "
            0.2.YKTNuK117e.exe.2c844e8.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x4e58:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x4a2a:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x4b52:$s3: Executed As
            • 0x41b3:$s5: Stub.exe
            • 0x4b30:$s6: Download ERROR
            • 0x49ec:$s8: Select * From AntiVirusProduct
            0.2.YKTNuK117e.exe.2c844e8.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4d50:$a1: netsh firewall add allowedprogram
            • 0x4d20:$a2: SEE_MASK_NOZONECHECKS
            • 0x4ee0:$b1: [TAP]
            • 0x4e58:$c3: cmd.exe /c ping
            0.2.YKTNuK117e.exe.2c844e8.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x4d20:$reg: SEE_MASK_NOZONECHECKS
            • 0x4b0c:$msg: Execute ERROR
            • 0x4b6c:$msg: Execute ERROR
            • 0x4e58:$ping: cmd.exe /c ping 0 -n 2 & del
            Click to see the 13 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: New RUN Key Pointing to Suspicious Folder
            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19447a578b6a3b2cdbc5a3dc3e7f5251
            Sigma detected: Communication To Uncommon Destination Ports
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 83.196.78.85, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Initiated: true, ProcessId: 7440, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19447a578b6a3b2cdbc5a3dc3e7f5251
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7440, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe
            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7440, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19447a578b6a3b2cdbc5a3dc3e7f5251

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: YKTNuK117e.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Found malware configuration
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Njrat {"Host": "83.196.78.85", "Port": "8080", "Version": "0.7d", "Campaign ID": "ok", "Registry": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Startup": "19447a578b6a3b2cdbc5a3dc3e7f5251"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeVirustotal: Detection: 82%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeVirustotal: Detection: 82%Perma Link
            Multi AV Scanner detection for submitted file
            Source: YKTNuK117e.exeReversingLabs: Detection: 86%
            Source: YKTNuK117e.exeVirustotal: Detection: 82%Perma Link
            Yara detected Njrat
            Source: Yara matchFile source: YKTNuK117e.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: YKTNuK117e.exe PID: 7344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7440, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPED
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: YKTNuK117e.exeJoe Sandbox ML: detected
            Source: YKTNuK117e.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: YKTNuK117e.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 83.196.78.85
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 83.196.78.85:8080
            Source: Joe Sandbox ViewASN Name: FranceTelecom-OrangeFR FranceTelecom-OrangeFR
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: unknownTCP traffic detected without corresponding DNS query: 83.196.78.85
            Source: WindowsServices.exe, 00000001.00000002.4154679430.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
            Source: WindowsServices.exe, 00000001.00000002.4154679430.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: YKTNuK117e.exe, kl.cs.Net Code: VKCodeToUnicode
            Source: WindowsServices.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 19447a578b6a3b2cdbc5a3dc3e7f5251.exe.1.dr, kl.cs.Net Code: VKCodeToUnicode

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: YKTNuK117e.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: YKTNuK117e.exe PID: 7344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7440, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPED

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_009FBBC6 NtSetInformationProcess,1_2_009FBBC6
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_009FBBA4 NtSetInformationProcess,1_2_009FBBA4
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_01051B46 NtQuerySystemInformation,1_2_01051B46
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_01051B0B NtQuerySystemInformation,1_2_01051B0B
            Source: C:\Users\user\Desktop\YKTNuK117e.exeCode function: 0_2_00EF268E0_2_00EF268E
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_009F268E1_2_009F268E
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 7_2_0077247C7_2_0077247C
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 8_2_016226C38_2_016226C3
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 8_2_0162247C8_2_0162247C
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 9_2_010A26C39_2_010A26C3
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 9_2_010A247C9_2_010A247C
            Source: YKTNuK117e.exe, 00000000.00000002.1748488867.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs YKTNuK117e.exe
            Source: YKTNuK117e.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: YKTNuK117e.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.evad.winEXE@9/5@0/1
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_009FB876 AdjustTokenPrivileges,1_2_009FB876
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 1_2_009FB83F AdjustTokenPrivileges,1_2_009FB83F
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\YKTNuK117e.exe.logJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMutant created: \Sessions\1\BaseNamedObjects\19447a578b6a3b2cdbc5a3dc3e7f5251
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to behavior
            Source: YKTNuK117e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: YKTNuK117e.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: YKTNuK117e.exeReversingLabs: Detection: 86%
            Source: YKTNuK117e.exeVirustotal: Detection: 82%
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile read: C:\Users\user\Desktop\YKTNuK117e.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\YKTNuK117e.exe "C:\Users\user\Desktop\YKTNuK117e.exe"
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLEJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: YKTNuK117e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: YKTNuK117e.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: YKTNuK117e.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: WindowsServices.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: 19447a578b6a3b2cdbc5a3dc3e7f5251.exe.1.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\YKTNuK117e.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251Jump to behavior
            Drops PE files to the startup folder
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251Jump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeMemory allocated: FD0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: AE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: D70000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: AC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 4860000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 34A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1810000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 51F0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindow / User API: threadDelayed 1454Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindow / User API: threadDelayed 3535Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindow / User API: threadDelayed 4263Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindow / User API: foregroundWindowGot 1763Jump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exe TID: 7364Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7444Thread sleep time: -1454000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7444Thread sleep time: -4263000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7912Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 8024Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 8092Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\YKTNuK117e.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: netsh.exe, 00000002.00000003.1819823605.00000000012F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
            Source: 19447a578b6a3b2cdbc5a3dc3e7f5251.exe.1.drBinary or memory string: VBoxServiceTrueTEMP'WindowsServices.exe
            Source: WindowsServices.exe, 00000001.00000002.4154679430.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.ContextBindingElementImporter, system.workflowservices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\YKTNuK117e.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: YKTNuK117e.exe, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
            Source: YKTNuK117e.exe, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
            Source: YKTNuK117e.exe, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
            Source: C:\Users\user\Desktop\YKTNuK117e.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" Jump to behavior
            Source: WindowsServices.exe, 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: WindowsServices.exe, 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disables zone checking for all users
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
            Source: WindowsServices.exe, 00000001.00000002.4159340432.00000000059A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %\Windows Defender\MsMpeng.exe
            Source: WindowsServices.exe, 00000001.00000002.4154679430.0000000000D23000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000001.00000002.4154679430.0000000000D0B000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000001.00000002.4154679430.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000001.00000002.4154679430.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: WindowsServices.exe, 00000001.00000002.4155278201.0000000000D67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: YKTNuK117e.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: YKTNuK117e.exe PID: 7344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7440, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: YKTNuK117e.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.YKTNuK117e.exe.5f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.YKTNuK117e.exe.2c844e8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: YKTNuK117e.exe PID: 7344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7440, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		221
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		1
            Masquerading            		1
            Input Capture            		121
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		12
            Process Injection            		31
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)221
            Registry Run Keys / Startup Folder            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Process Injection            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429083 Sample: YKTNuK117e.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 11 other signatures 2->38 8 YKTNuK117e.exe 1 5 2->8         started        11 WindowsServices.exe 3 2->11         started        13 WindowsServices.exe 2 2->13         started        15 WindowsServices.exe 2 2->15         started        process3 file4 28 C:\Users\user\AppData\...\WindowsServices.exe, PE32 8->28 dropped 17 WindowsServices.exe 4 5 8->17         started        process5 dnsIp6 30 83.196.78.85, 49730, 49737, 49738 FranceTelecom-OrangeFR France 17->30 26 C:\...\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, PE32 17->26 dropped 40 Antivirus detection for dropped file 17->40 42 Multi AV Scanner detection for dropped file 17->42 44 Protects its processes via BreakOnTermination flag 17->44 46 6 other signatures 17->46 22 netsh.exe 2 17->22         started        file7 signatures8 process9 process10 24 conhost.exe 22->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            YKTNuK117e.exe87%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            YKTNuK117e.exe83%VirustotalBrowse
            YKTNuK117e.exe100%AviraTR/Dropper.Gen7
            YKTNuK117e.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\WindowsServices.exe100%AviraTR/Dropper.Gen7
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe100%AviraTR/Dropper.Gen7
            C:\Users\user\AppData\Local\Temp\WindowsServices.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\WindowsServices.exe87%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Local\Temp\WindowsServices.exe83%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe87%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe83%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://go.microsoft.0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            83.196.78.85true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://go.microsoft.WindowsServices.exe, 00000001.00000002.4154679430.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://go.microsoft.LinkId=42127WindowsServices.exe, 00000001.00000002.4154679430.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                		low

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                83.196.78.85
                		unknownFrance
                		3215FranceTelecom-OrangeFRtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1429083
                Start date and time:2024-04-20 18:26:04 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 15s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:YKTNuK117e.exe
                renamed because original name is a hash value
                Original Sample Name:200a92ad17110cb3dacc7387b12186c6.exe
                Detection:MAL
                Classification:mal100.phis.troj.adwa.spyw.evad.winEXE@9/5@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 167
                • Number of non-executed functions: 1
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                17:27:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                17:27:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                17:27:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 19447a578b6a3b2cdbc5a3dc3e7f5251 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                17:27:39AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe
                18:27:13API Interceptor478658x Sleep call for process: WindowsServices.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                FranceTelecom-OrangeFRJdnjRc1VGX.elfGet hashmaliciousMiraiBrowse
                • 86.199.95.91
                H6ccnU1094.elfGet hashmaliciousMirai, OkiruBrowse
                • 83.115.239.3
                9IseFevRH6.elfGet hashmaliciousMiraiBrowse
                • 109.211.102.134
                BzmhHwFpCV.elfGet hashmaliciousMiraiBrowse
                • 90.13.203.111
                ZOHH8muwjh.elfGet hashmaliciousMiraiBrowse
                • 92.138.88.144
                E3kpuuuOfy.elfGet hashmaliciousMiraiBrowse
                • 83.196.75.183
                enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                • 109.212.215.173
                4XAsw9FSr5.elfGet hashmaliciousUnknownBrowse
                • 83.114.112.82
                Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                • 81.55.171.61
                Yui1pUgieI.elfGet hashmaliciousMiraiBrowse
                • 109.219.139.16

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsServices.exe.log

                Download File
                Process:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):525
                Entropy (8bit):5.259753436570609
                Encrypted:false
                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                MD5:260E01CC001F9C4643CA7A62F395D747
                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\YKTNuK117e.exe.log

                Download File
                Process:C:\Users\user\Desktop\YKTNuK117e.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):525
                Entropy (8bit):5.259753436570609
                Encrypted:false
                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                MD5:260E01CC001F9C4643CA7A62F395D747
                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                C:\Users\user\AppData\Local\Temp\WindowsServices.exe

                Download File
                Process:C:\Users\user\Desktop\YKTNuK117e.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):32256
                Entropy (8bit):5.615701037320533
                Encrypted:false
                SSDEEP:768:oJhOBb13hdwzxLy3gcEOvVMRvqfQmIDUu0tiBdj:gUZ6WZ6AQVkuj
                MD5:200A92AD17110CB3DACC7387B12186C6
                SHA1:6BEE61858FBF3152F748B3DCDFFE0509A8D30A57
                SHA-256:4685803AD19D283CA259F4AF5FFF5F0C397C0FE0C3032B663D0B99D510C4FCB6
                SHA-512:1EDF29F9EBCE81CE230829637A8AD672F8D389984BB020B43992AACBF47674B8F1E5E8AF8D7EEE1AE42B03C7334E0CCEF175A868704FBB265EB4810CDE50B0E7
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: Florian Roth
                • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: Brian Wallace @botnet_hunter
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 87%
                • Antivirus: Virustotal, Detection: 83%, Browse
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................v............... ........@.. ....................................@....................................O.......@............................................................................ ............... ..H............text...$u... ...v.................. ..`.rsrc...@............x..............@..@.reloc...............|..............@..B........................H.......@\...8......E.....................................................(....*&..(.....*.s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0......................,.(...+.+....+..*&........*&..(.....*....0..&........~..............,.(...+.....~.....+..*&..(.....*.s..

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe

                Download File
                Process:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):32256
                Entropy (8bit):5.615701037320533
                Encrypted:false
                SSDEEP:768:oJhOBb13hdwzxLy3gcEOvVMRvqfQmIDUu0tiBdj:gUZ6WZ6AQVkuj
                MD5:200A92AD17110CB3DACC7387B12186C6
                SHA1:6BEE61858FBF3152F748B3DCDFFE0509A8D30A57
                SHA-256:4685803AD19D283CA259F4AF5FFF5F0C397C0FE0C3032B663D0B99D510C4FCB6
                SHA-512:1EDF29F9EBCE81CE230829637A8AD672F8D389984BB020B43992AACBF47674B8F1E5E8AF8D7EEE1AE42B03C7334E0CCEF175A868704FBB265EB4810CDE50B0E7
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, Author: Florian Roth
                • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, Author: Brian Wallace @botnet_hunter
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19447a578b6a3b2cdbc5a3dc3e7f5251.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 87%
                • Antivirus: Virustotal, Detection: 83%, Browse
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................v............... ........@.. ....................................@....................................O.......@............................................................................ ............... ..H............text...$u... ...v.................. ..`.rsrc...@............x..............@..@.reloc...............|..............@..B........................H.......@\...8......E.....................................................(....*&..(.....*.s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0......................,.(...+.+....+..*&........*&..(.....*....0..&........~..............,.(...+.....~.....+..*&..(.....*.s..

                \Device\ConDrv

                Download File
                Process:C:\Windows\SysWOW64\netsh.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):313
                Entropy (8bit):4.971939296804078
                Encrypted:false
                SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                MD5:689E2126A85BF55121488295EE068FA1
                SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                Malicious:false
                Reputation:high, very likely benign file
                Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.615701037320533
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:YKTNuK117e.exe
                File size:32'256 bytes
                MD5:200a92ad17110cb3dacc7387b12186c6
                SHA1:6bee61858fbf3152f748b3dcdffe0509a8d30a57
                SHA256:4685803ad19d283ca259f4af5fff5f0c397c0fe0c3032b663d0b99d510c4fcb6
                SHA512:1edf29f9ebce81ce230829637a8ad672f8d389984bb020b43992aacbf47674b8f1e5e8af8d7eee1ae42b03c7334e0ccef175a868704fbb265eb4810cde50b0e7
                SSDEEP:768:oJhOBb13hdwzxLy3gcEOvVMRvqfQmIDUu0tiBdj:gUZ6WZ6AQVkuj
                TLSH:28E21AADFBEA4466D2BC0AB50571950013B4D103E523F77E4ECA24A62B6F7D84B84DF2
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................v............... ........@.. ....................................@................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x40951e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x661FCAD4 [Wed Apr 17 13:12:52 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x94cc0x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x240.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x75240x7600e4466dbba6148f59dc86ca5a79e47c2bFalse0.4817597987288136data5.652543611491193IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xa0000x2400x4005b346ed223699f15252c1fdad182859fFalse0.3134765625data4.968771659524424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xc0000xc0x200ab51cd88731eb5328808e4b8d5b1cbc3False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_MANIFEST0xa0580x1e7XML 1.0 document, ASCII text, with CRLF line terminators0.5338809034907598

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 20, 2024 18:27:14.762742996 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:14.975326061 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:14.975467920 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:15.135021925 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:15.386348009 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:15.386431932 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:15.637702942 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:20.536849022 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:20.787210941 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:21.173100948 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:21.179256916 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:21.429635048 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:24.180352926 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:24.180752039 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:26.192548037 CEST497308080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:26.193010092 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:26.403249025 CEST80804973083.196.78.85192.168.2.4
                Apr 20, 2024 18:27:26.407190084 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:26.407306910 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:26.437163115 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:26.798470974 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:26.798716068 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:27.052334070 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:28.676065922 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:28.929934978 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:32.623456001 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:32.623775005 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:32.877815962 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:35.611426115 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:35.611676931 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:37.613476992 CEST497378080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:37.613940001 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:37.824250937 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:37.824337959 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:37.827121019 CEST80804973783.196.78.85192.168.2.4
                Apr 20, 2024 18:27:37.850763083 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:38.102024078 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:38.102072954 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:38.352822065 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:44.066121101 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:44.066685915 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:44.317246914 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:47.035198927 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:47.035270929 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:50.043853045 CEST497388080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:50.044279099 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:50.254595041 CEST80804973883.196.78.85192.168.2.4
                Apr 20, 2024 18:27:50.257602930 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:50.257822037 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:50.282874107 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:50.536739111 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:50.536952972 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:50.790968895 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:53.363742113 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:53.655603886 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:56.479963064 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:56.480756998 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:27:56.733510971 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:59.482266903 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:27:59.482683897 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:01.488532066 CEST497398080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:01.489135981 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:01.702172995 CEST80804973983.196.78.85192.168.2.4
                Apr 20, 2024 18:28:01.702805996 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:01.703015089 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:01.733814955 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:01.987962008 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:01.988403082 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:02.241424084 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:02.801307917 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:03.055373907 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:07.916549921 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:07.917020082 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:08.173902988 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:10.907243013 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:10.907500982 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:12.910600901 CEST497418080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:12.911139011 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:13.124241114 CEST80804974183.196.78.85192.168.2.4
                Apr 20, 2024 18:28:13.124700069 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:13.124825954 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:13.174958944 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:13.430058956 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:13.430519104 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:13.684233904 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:14.036593914 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:14.346946001 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:17.395215988 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:17.857808113 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:17.858007908 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:18.260781050 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:18.613950014 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:18.867760897 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:18.868052006 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:19.124289989 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:19.124511003 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:19.340534925 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:19.340642929 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:19.593848944 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:19.594069958 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:19.845607042 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:19.845822096 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:20.102869034 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:20.103046894 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:20.355900049 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:20.358863115 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:20.613931894 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:20.614734888 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:20.924767971 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:20.924983025 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:21.178477049 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:21.178579092 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:21.433377028 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:21.433610916 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:21.685461044 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:21.685746908 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:21.939886093 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:21.941834927 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:22.194809914 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:22.195131063 CEST497428080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:22.340600967 CEST80804974283.196.78.85192.168.2.4
                Apr 20, 2024 18:28:24.768749952 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:24.979758024 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:24.979970932 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:25.015259981 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:25.268346071 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:25.268450022 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:25.518309116 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:25.518778086 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:25.852893114 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:25.854904890 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:26.103734970 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:26.103840113 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:26.356041908 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:26.358825922 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:26.608298063 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:26.609090090 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:26.861437082 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:26.862829924 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:27.113116980 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:27.113390923 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:27.363137007 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:27.363390923 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:27.614063978 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:27.614734888 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:27.864998102 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:27.865226984 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:28.115732908 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:28.116030931 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:28.366276979 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:28.366566896 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:28.617166996 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:28.617410898 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:28.867820024 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:28.870762110 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:29.123938084 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:29.125116110 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:29.375447035 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:29.375579119 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:29.624687910 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:29.625597954 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:29.875305891 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:29.875412941 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:30.125087023 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:30.125303984 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:30.374982119 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:30.375231028 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:30.630198956 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:30.630316019 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:30.881762981 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:30.881876945 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.132325888 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.132580042 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.195453882 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.195578098 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.383174896 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.383425951 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.444988012 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.445116997 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.634845972 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.635160923 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.695976019 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.696185112 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.885293007 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.885713100 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:31.947335005 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:31.948613882 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.136291981 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.138848066 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.199235916 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.202708006 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.389844894 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.390044928 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.453923941 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.454135895 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.640750885 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.642791986 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.705530882 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.706938028 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.942142963 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.942348957 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:32.957726002 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:32.957912922 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:33.168505907 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:33.168627024 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:33.420232058 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:33.420352936 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:33.675683975 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:33.675911903 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:33.927357912 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:33.930951118 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:34.181269884 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:34.181503057 CEST497438080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:34.198494911 CEST80804974383.196.78.85192.168.2.4
                Apr 20, 2024 18:28:36.209698915 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:36.424582005 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:36.426445961 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:36.454689980 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:36.727544069 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:36.730912924 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:36.980267048 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:36.980501890 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:37.231946945 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:37.232192039 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:37.484338045 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:37.484534979 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:37.735843897 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:37.736094952 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:37.985512018 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:37.986852884 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:38.237720013 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:38.237967968 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:38.488497972 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:38.490957022 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:38.741491079 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:38.742789030 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:38.993489981 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:38.993721962 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:39.244281054 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:39.244524956 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:39.495286942 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:39.495394945 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:39.746483088 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:39.746871948 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:39.997617960 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:39.997885942 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:40.249139071 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:40.249399900 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:40.500338078 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:40.500585079 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:40.750839949 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:40.751056910 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:41.000921965 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:41.002820015 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:41.253350019 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:42.602220058 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:42.626219034 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:42.626344919 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:42.836745024 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:42.836985111 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:43.087548971 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:43.087816954 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:43.338677883 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:43.338793039 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:43.589165926 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:43.589279890 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:43.840298891 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:43.840527058 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:44.091327906 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:44.094985008 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:44.345884085 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:44.345994949 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:44.596203089 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:44.596493959 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:44.847661018 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:44.847918987 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:45.098792076 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:45.099005938 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:45.349328041 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:45.349534988 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:45.600730896 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:45.600979090 CEST497448080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:45.629462004 CEST80804974483.196.78.85192.168.2.4
                Apr 20, 2024 18:28:47.645312071 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:47.856211901 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:47.856498003 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:47.888948917 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:48.139348984 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:48.142745972 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:48.393492937 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:48.393719912 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:48.644531012 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:48.646893978 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:48.897965908 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:48.898204088 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:49.148376942 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:49.148643970 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:49.399490118 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:49.399729013 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:49.650619030 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:49.650854111 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:49.901803970 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:49.902533054 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:50.153462887 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:50.154877901 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:50.405922890 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:50.406179905 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:50.655127048 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:50.655347109 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:50.906739950 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:50.906913042 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:51.155704975 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:51.155982018 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:51.406316042 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:51.406434059 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:51.657835960 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:51.658078909 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:51.908651114 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:51.908813000 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:52.161727905 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:52.161844015 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:52.412744045 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:52.412961960 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:52.665791988 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:52.665973902 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:52.916208029 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:52.916512012 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:53.167665958 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:53.167875051 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:53.418683052 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:53.419104099 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:53.668920994 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:53.669032097 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:53.919317961 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:53.919718981 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.065773964 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.066082001 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.169758081 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.169904947 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.317334890 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.317450047 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.420255899 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.420347929 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.568339109 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.568512917 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.670053005 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.670279026 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.819674015 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.820069075 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:54.920732975 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:54.921139002 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.074542999 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.074662924 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.174459934 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.174668074 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.328248978 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.328708887 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.425874949 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.426004887 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.578943014 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.579193115 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.677300930 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.677493095 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.829076052 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.829301119 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:55.927531958 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:55.927758932 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.080157042 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.080560923 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.178586006 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.178823948 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.330866098 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.331326962 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.429956913 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.430212975 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.580936909 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.581068993 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.680777073 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.681058884 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:56.931977034 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.932043076 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:56.932204962 CEST497458080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:57.064229012 CEST80804974583.196.78.85192.168.2.4
                Apr 20, 2024 18:28:59.067648888 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:59.281510115 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:28:59.281932116 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:59.324949980 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:59.578911066 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:28:59.579339981 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:28:59.833925009 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:00.515696049 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:00.769829035 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:00.770019054 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:01.026364088 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:01.026510954 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:01.280505896 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:01.280936956 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:01.534305096 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:01.534548998 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:01.788680077 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:01.788909912 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:02.042805910 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:02.046319962 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:02.300767899 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:02.301887035 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:02.555660009 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:02.555897951 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:02.810261011 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:02.810482979 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:03.068542004 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:03.068747044 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:03.325901031 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:03.326148987 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:03.578145981 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:03.578526020 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:03.834111929 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:03.834959030 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:04.088604927 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:04.088845015 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:04.341370106 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:04.341691971 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:04.598086119 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:04.598330021 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:04.852237940 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:04.852451086 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.106854916 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.107142925 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.363872051 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.364162922 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.482939959 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.483175039 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.619808912 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.620002985 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.737004995 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.737240076 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.875999928 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.876209974 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:05.990712881 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:05.991120100 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.130435944 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.130671978 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.245322943 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.245512962 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.387389898 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.387571096 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.500089884 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.500406027 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.641532898 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.641751051 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.755264997 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.755454063 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:06.895710945 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:06.895967960 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.010788918 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.014914989 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.149101019 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.150831938 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.268500090 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.270469904 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.403867960 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.403981924 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.525975943 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.526171923 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.658415079 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.659002066 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.780694008 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.782115936 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:07.912291050 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:07.912523031 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:08.035757065 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:08.035861015 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:08.166997910 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:08.167211056 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:08.289680958 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:08.290184975 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:08.425025940 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:08.425376892 CEST497468080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:08.484561920 CEST80804974683.196.78.85192.168.2.4
                Apr 20, 2024 18:29:10.489058971 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:10.700982094 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:10.701088905 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:10.770389080 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:11.038216114 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:11.038522959 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:11.296781063 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:11.296907902 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:11.565428972 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:11.565524101 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:11.861699104 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:11.861812115 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:12.130585909 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:12.130836964 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:12.399149895 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:12.400049925 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:12.707828045 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:12.710906982 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:12.961992979 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:12.962101936 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:13.228404999 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:13.228490114 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:13.479821920 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:13.479934931 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:13.730484962 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:13.730763912 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:13.983028889 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:13.983124018 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:14.234433889 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:14.234576941 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:14.486669064 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:14.486779928 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:14.738606930 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:14.739098072 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:14.990406036 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:14.990515947 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:15.243302107 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:15.243406057 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:15.495098114 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:15.495189905 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:15.747292995 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:15.747514963 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:15.998069048 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:15.998699903 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:16.249284029 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:16.251065016 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:16.501815081 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:16.502705097 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:16.753282070 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:16.754714012 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:16.948353052 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:17.079268932 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:17.082297087 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:17.782058954 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:18.036341906 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:18.036462069 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:18.286381960 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:18.286477089 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:18.537285089 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:18.537431955 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:18.788451910 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:18.788803101 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:19.039871931 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:19.039975882 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:19.304826975 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:19.305056095 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:19.557643890 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:19.557763100 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:19.809222937 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:19.809331894 CEST497478080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:19.950963020 CEST80804974783.196.78.85192.168.2.4
                Apr 20, 2024 18:29:21.958245039 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:22.175766945 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:22.175884962 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:22.222096920 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:22.475720882 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:22.475893021 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:22.729001999 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:22.729089022 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:22.983025074 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:22.983122110 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:23.235435009 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:23.235515118 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:23.488507986 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:23.488571882 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:23.741906881 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:23.742006063 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:23.994786024 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:23.995734930 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:24.248346090 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:24.249594927 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:24.502852917 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:24.503245115 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:24.756793022 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:24.758725882 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:25.011198997 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:25.011338949 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:25.264182091 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:25.264302969 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:25.516738892 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:25.516827106 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:25.769959927 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:25.770165920 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:26.025823116 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:26.025916100 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:26.279710054 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:26.279808998 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:26.533153057 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:26.533238888 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:26.786487103 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:26.786597967 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:27.040190935 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:27.040282965 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:27.296675920 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:27.296806097 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:27.556165934 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:27.556274891 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:27.807836056 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:27.807945967 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.063560963 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.063653946 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.316699028 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.316781998 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.397564888 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.397658110 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.576776028 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.576854944 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.676820993 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.676892996 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.853365898 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.853450060 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:28.967230082 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:28.967312098 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.121804953 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.121915102 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.239345074 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.239447117 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.378441095 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.378581047 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.493187904 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.493263960 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.648027897 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.648143053 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.759572983 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.759653091 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:29.920185089 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:29.920264959 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.027098894 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.027188063 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.196264982 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.196403027 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.306041002 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.306152105 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.493824005 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.493927956 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.584002018 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.584069014 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.763715982 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.763828039 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:30.862306118 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:30.862416029 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:31.034034014 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:31.034115076 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:31.128578901 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:31.298119068 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:31.298207045 CEST497488080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:31.406269073 CEST80804974883.196.78.85192.168.2.4
                Apr 20, 2024 18:29:33.411262035 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:33.651592970 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:33.651712894 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:34.033036947 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:34.287892103 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:34.287987947 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:34.568201065 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:35.694504976 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:35.949773073 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:35.950123072 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:36.204363108 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:36.204459906 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:36.459527969 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:36.459702969 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:36.714123964 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:36.714210033 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:36.967969894 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:36.969029903 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:37.225471020 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:37.226866961 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:37.482877970 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:37.486749887 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:37.741786957 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:37.741903067 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:37.995323896 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:37.995511055 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:38.248323917 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:38.248444080 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:38.501923084 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:38.502048969 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:38.756486893 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:38.756572008 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:39.010099888 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:39.010202885 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:39.262720108 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:39.262841940 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:39.517355919 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:39.517486095 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:39.772023916 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:39.772166014 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:39.960715055 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:39.960845947 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:39.985668898 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:39.985786915 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:40.202398062 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:40.202491999 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:40.455529928 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:40.455667019 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:40.708365917 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:40.708501101 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:40.962415934 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:40.962513924 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:41.215715885 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:41.215810061 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:41.471698999 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:41.471817970 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:41.726489067 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:41.726705074 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:41.981988907 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:41.982141972 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:42.236218929 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:42.236299992 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:42.489480972 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:42.489660978 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:42.743650913 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:42.743814945 CEST497498080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:42.958152056 CEST80804974983.196.78.85192.168.2.4
                Apr 20, 2024 18:29:44.973658085 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:45.187103987 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:45.187259912 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:45.222012997 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:45.476272106 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:45.476444006 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:45.729269028 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:45.729355097 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:45.986387968 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:45.986512899 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:46.239918947 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:46.240012884 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:46.526572943 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:46.526742935 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:46.779958010 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:46.780097008 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:47.033329010 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:47.037075043 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:47.291446924 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:47.292764902 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:47.560240030 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:47.561794996 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:47.814881086 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:47.815015078 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:48.068468094 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:48.068634033 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:48.326380014 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:48.326555967 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:48.579967976 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:48.580132961 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:48.833271980 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:48.833606958 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:49.089384079 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:49.089652061 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:49.342386961 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:49.342524052 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:49.596945047 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:49.597119093 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:49.850722075 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:49.850837946 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:50.106425047 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:50.106535912 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:50.359930992 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:50.360038042 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:50.613784075 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:50.614008904 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:50.868999958 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:50.869177103 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:51.127304077 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:51.127401114 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:51.380577087 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:51.405466080 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:51.517865896 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:51.771266937 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:51.773085117 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:52.026360989 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:52.026480913 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:52.279936075 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:53.342408895 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:53.596348047 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:53.596431017 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:53.850162983 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:53.850486040 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:54.106959105 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:54.107379913 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:54.360424042 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:54.360745907 CEST497508080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:54.405898094 CEST80804975083.196.78.85192.168.2.4
                Apr 20, 2024 18:29:56.410974979 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:56.626036882 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:56.626141071 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:56.685847998 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:56.941663027 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:56.941838980 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:57.196980000 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:57.197101116 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:57.452828884 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:57.453295946 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:57.708043098 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:57.708142996 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:57.961249113 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:57.961363077 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:58.215643883 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:58.217530012 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:58.471437931 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:58.471534967 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:58.725713015 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:58.728892088 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:58.982316971 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:58.982547045 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:59.236192942 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:59.236329079 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:59.490300894 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:59.490511894 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:59.744690895 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:59.744791031 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:29:59.998418093 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:29:59.998591900 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:00.252173901 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:00.252389908 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:00.506330013 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:00.506521940 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:00.762404919 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:00.762684107 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:01.016900063 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:01.017018080 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:01.270941019 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:01.271061897 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:01.526706934 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:01.526794910 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:01.779829025 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:01.779936075 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.034383059 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:02.034603119 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.347966909 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.359834909 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:02.359935045 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.560889959 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:02.561008930 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.577116013 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:02.577296972 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.790445089 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:02.790540934 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:02.836890936 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:02.836985111 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.004188061 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.004292011 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.089865923 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.090724945 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.259788990 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.262764931 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.344430923 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.344506025 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.516299963 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.518793106 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.597695112 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.598092079 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.776057959 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.778723001 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:03.850409031 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:03.850790024 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.032536983 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.032633066 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.104310989 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.104387999 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.286294937 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.286410093 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.359524012 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.359642982 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.539074898 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.539259911 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.613475084 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.613555908 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.794920921 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.795120955 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:04.868967056 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:04.869076014 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.048500061 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.048605919 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.125808954 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.126070023 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.302329063 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.302431107 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.379961967 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.380135059 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.555790901 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.555886030 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.634085894 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.634295940 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.809659004 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:05.809870958 CEST497518080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:05.840842962 CEST80804975183.196.78.85192.168.2.4
                Apr 20, 2024 18:30:07.848462105 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:08.062365055 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:08.062632084 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:08.096919060 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:08.350718021 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:08.350954056 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:08.604736090 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:08.604939938 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:08.857812881 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:08.858026981 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:09.111346960 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:09.111450911 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:09.364851952 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:09.364970922 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:09.619678974 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:09.619904995 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:09.876502037 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:09.876751900 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:10.128892899 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:10.129126072 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:10.381724119 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:11.678761005 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:11.933466911 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:11.933624029 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:12.187031031 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:12.187279940 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:12.441126108 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:12.441365957 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:12.695388079 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:12.695691109 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:12.949223042 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:12.949477911 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:13.212203979 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:13.212451935 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:13.466044903 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:13.466377020 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:13.719676971 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:13.719923019 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:13.976794004 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:13.977047920 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.231590986 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.231798887 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.279285908 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.279376030 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.485615015 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.485879898 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.532248020 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.532582045 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.739645958 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.739881992 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.786058903 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.786147118 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:14.996148109 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:14.996510983 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.040709019 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.040908098 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.249617100 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.249872923 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.294246912 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.294488907 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.502860069 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.503177881 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.547805071 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.548063040 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.757121086 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.757467985 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:15.800967932 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:15.801088095 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.011482954 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.011591911 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.053698063 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.053884983 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.265738964 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.265841007 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.307049990 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.307241917 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.520279884 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.520488977 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.560786963 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.560990095 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.776398897 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.776674032 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:16.813823938 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:16.814062119 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:17.027364016 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:17.030976057 CEST497528080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:17.278758049 CEST80804975283.196.78.85192.168.2.4
                Apr 20, 2024 18:30:19.287317991 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:19.498102903 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:19.498233080 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:19.528228998 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:19.779602051 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:19.779687881 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:20.030158043 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:20.030742884 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:20.281451941 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:20.281560898 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:20.531984091 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:20.534862995 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:20.784804106 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:20.785528898 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:21.038167000 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:21.038280010 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:21.288131952 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:21.290831089 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:21.541843891 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:21.541950941 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:21.791310072 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:21.794768095 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:22.046446085 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:22.046569109 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:22.296863079 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:22.296986103 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:22.547554970 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:22.547794104 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:22.797436953 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:22.797544003 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:23.049253941 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:23.049385071 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:23.299992085 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:23.300086975 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:23.550648928 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:23.550765991 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:23.803900957 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:23.804040909 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:24.054636955 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:24.054754972 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:24.304357052 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:24.304466963 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:24.555609941 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:24.557043076 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:24.807786942 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:24.809122086 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:25.059788942 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:25.059921026 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:25.310642958 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:25.310766935 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:25.560828924 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:25.560961962 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:25.713634014 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:25.713768959 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:25.771209002 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:25.771325111 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:25.964257956 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:25.964365959 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.020644903 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.020744085 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.214832067 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.215054989 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.270951986 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.271224022 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.465277910 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.465400934 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.522430897 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.522505045 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.716303110 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.716461897 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.776230097 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.776313066 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:26.966830969 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:26.966918945 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.028058052 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.028276920 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.217495918 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.217592955 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.279467106 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.279709101 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.467169046 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.467263937 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.529577017 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.529694080 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.716300964 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.716408968 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.779751062 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.779827118 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:27.967258930 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:27.967364073 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:28.030632973 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:28.030766964 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:28.217864037 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:28.217991114 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:28.281227112 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:28.281318903 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:28.468274117 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:28.468379974 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:28.531558990 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:28.531665087 CEST497538080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:28.719011068 CEST80804975383.196.78.85192.168.2.4
                Apr 20, 2024 18:30:30.599185944 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:30.809353113 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:30.809585094 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:30.847270012 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:31.098433018 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:31.100862980 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:31.350497007 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:31.350634098 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:31.601561069 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:31.601885080 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:31.851989985 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:31.852123022 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:32.101751089 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:32.102037907 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:32.352981091 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:32.353245974 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:32.604604959 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:32.604737043 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:32.855041981 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:32.855282068 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:33.106894970 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:33.107145071 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:33.358058929 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:33.358300924 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:33.608364105 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:33.608606100 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:33.859553099 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:33.859808922 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:34.110167027 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:34.110368967 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:34.361174107 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:34.361454964 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:34.612355947 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:34.612631083 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:34.863259077 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:34.863482952 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:35.113260031 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:35.113511086 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:35.364846945 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:35.365209103 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:35.615520954 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:35.615730047 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:35.866271973 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:35.866611958 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:36.117095947 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:36.117232084 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:36.367809057 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:36.367958069 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:36.618526936 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:36.618933916 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:36.869420052 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:36.869692087 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.028341055 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.028459072 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.121119022 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.121360064 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.278455973 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.278677940 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.371694088 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.371840954 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.529290915 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.529505014 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.623554945 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.623683929 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.779941082 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.780234098 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:37.877285004 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:37.877625942 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.030643940 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.030877113 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.128213882 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.128492117 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.281759977 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.282012939 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.378484011 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.378844976 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.532381058 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.532526016 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.629281044 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.629395962 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.783938885 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.784060955 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:38.881403923 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:38.881730080 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.033549070 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.034058094 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.132297993 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.132419109 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.284632921 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.284779072 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.383344889 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.383539915 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.535712957 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.535962105 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.634320021 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.634665012 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.786504984 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.786863089 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:39.884732962 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:39.884855986 CEST497548080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:40.029220104 CEST80804975483.196.78.85192.168.2.4
                Apr 20, 2024 18:30:41.786214113 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:42.000288010 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:42.000619888 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:42.037902117 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:42.290697098 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:42.294748068 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:42.549988985 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:42.550087929 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:42.803844929 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:42.804069042 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:43.057821035 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:43.058047056 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:43.311966896 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:43.312412977 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:43.566313982 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:43.566627026 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:43.818707943 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:43.818957090 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:44.072923899 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:44.937053919 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:45.188281059 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:45.188504934 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:45.441915989 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:45.442050934 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:45.694643974 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:45.695036888 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:45.947494984 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:45.947740078 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:46.201493025 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:46.201728106 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:46.455208063 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:46.455457926 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:46.785567999 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:46.814384937 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:46.814610004 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.000247955 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:47.000462055 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.027395010 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:47.027628899 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.241621017 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:47.244976044 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.586730957 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.598298073 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:47.598304033 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.800241947 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:47.801120996 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:47.810297012 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.055027008 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.055289030 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.211075068 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.211385965 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.268640995 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.268965960 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.466681957 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.466976881 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.521186113 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.521493912 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.720990896 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.721196890 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.777473927 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.777661085 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:48.977540970 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:48.977726936 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.031204939 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.031589031 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.232342005 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.232608080 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.285041094 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.285274982 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.486736059 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.487147093 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.539797068 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.540199041 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.741345882 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.741601944 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.794298887 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.794563055 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:49.994889021 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:49.995112896 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.047739983 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.047940969 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.248301983 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.248553038 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.300914049 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.301345110 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.501952887 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.502264023 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.554713011 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.554948092 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.755775928 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.756108046 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:50.808590889 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:50.808810949 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:51.010019064 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:51.010148048 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:51.062331915 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:51.062566042 CEST497558080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:51.211925030 CEST80804975583.196.78.85192.168.2.4
                Apr 20, 2024 18:30:52.849400997 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:53.062670946 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:53.062778950 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:53.091866016 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:53.345848083 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:53.345961094 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:53.602283955 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:53.602359056 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:53.854283094 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:53.854384899 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:54.108975887 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:54.112828970 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:54.366722107 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:54.369041920 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:54.627147913 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:54.628992081 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:54.882602930 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:54.882770061 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:55.137460947 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:55.137686014 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:55.391386032 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:55.391501904 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:55.645554066 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:55.645739079 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:55.898684978 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:55.898802996 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:56.151695967 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:56.151798964 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:56.405622005 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:56.405859947 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:56.659460068 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:56.659558058 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:56.915400028 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:56.915503979 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:57.168575048 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:57.168662071 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:57.422091961 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:57.422306061 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:57.677650928 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:57.677900076 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:57.931168079 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:57.931255102 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:58.184243917 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:58.184756994 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:58.438690901 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:58.441836119 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:58.694799900 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:58.698824883 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:58.952334881 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:58.954833031 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.208905935 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.208996058 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.271203995 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.271275043 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.462460995 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.462575912 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.527043104 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.527144909 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.715581894 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.715774059 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.780473948 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.780544043 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:30:59.969280005 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:30:59.969477892 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.034790039 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.034970045 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.222944975 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.223050117 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.288158894 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.288247108 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.478300095 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.478374958 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.542504072 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.542577982 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.732927084 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.732997894 CEST497568080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:00.796293974 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:00.986432076 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:02.278933048 CEST80804975683.196.78.85192.168.2.4
                Apr 20, 2024 18:31:03.989350080 CEST497578080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:04.203020096 CEST80804975783.196.78.85192.168.2.4
                Apr 20, 2024 18:31:04.206897020 CEST497578080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:04.237622976 CEST497578080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:04.491055012 CEST80804975783.196.78.85192.168.2.4
                Apr 20, 2024 18:31:04.491149902 CEST497578080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:04.743674040 CEST80804975783.196.78.85192.168.2.4
                Apr 20, 2024 18:31:04.743752003 CEST497578080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:04.997384071 CEST80804975783.196.78.85192.168.2.4
                Apr 20, 2024 18:31:04.997533083 CEST497578080192.168.2.483.196.78.85
                Apr 20, 2024 18:31:05.251071930 CEST80804975783.196.78.85192.168.2.4

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:18:26:56
                Start date:20/04/2024
                Path:C:\Users\user\Desktop\YKTNuK117e.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\YKTNuK117e.exe"
                Imagebase:0x5f0000
                File size:32'256 bytes
                MD5 hash:200A92AD17110CB3DACC7387B12186C6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1683506708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1748887345.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:18:27:03
                Start date:20/04/2024
                Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
                Imagebase:0x470000
                File size:32'256 bytes
                MD5 hash:200A92AD17110CB3DACC7387B12186C6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4155853569.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: Florian Roth
                • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: Brian Wallace @botnet_hunter
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, Author: ditekSHen
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                • Detection: 87%, ReversingLabs
                • Detection: 83%, Virustotal, Browse
                Reputation:low
                Has exited:false

                General

                Target ID:2
                Start time:18:27:09
                Start date:20/04/2024
                Path:C:\Windows\SysWOW64\netsh.exe
                Wow64 process (32bit):true
                Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
                Imagebase:0x1560000
                File size:82'432 bytes
                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:3
                Start time:18:27:09
                Start date:20/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:18:27:21
                Start date:20/04/2024
                Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                Imagebase:0x270000
                File size:32'256 bytes
                MD5 hash:200A92AD17110CB3DACC7387B12186C6
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:8
                Start time:18:27:31
                Start date:20/04/2024
                Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                Imagebase:0xe50000
                File size:32'256 bytes
                MD5 hash:200A92AD17110CB3DACC7387B12186C6
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:9
                Start time:18:27:39
                Start date:20/04/2024
                Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                Imagebase:0xac0000
                File size:32'256 bytes
                MD5 hash:200A92AD17110CB3DACC7387B12186C6
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:17.2%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:47
                  Total number of Limit Nodes:2
                  execution_graph 1489 efa94f 1491 efa986 CreateFileW 1489->1491 1492 efaa0d 1491->1492 1445 efa74e 1446 efa77a FindCloseChangeNotification 1445->1446 1447 efa7b9 1445->1447 1448 efa788 1446->1448 1447->1446 1449 efac2e 1450 efac63 WriteFile 1449->1450 1452 efac95 1450->1452 1505 efac0e 1506 efac2e WriteFile 1505->1506 1508 efac95 1506->1508 1453 efa646 1454 efa67e CreateMutexW 1453->1454 1456 efa6c1 1454->1456 1461 efa986 1462 efa9be CreateFileW 1461->1462 1464 efaa0d 1462->1464 1481 efa462 1483 efa486 RegSetValueExW 1481->1483 1484 efa507 1483->1484 1485 efa361 1486 efa392 RegQueryValueExW 1485->1486 1488 efa41b 1486->1488 1465 efa2fe 1466 efa32a SetErrorMode 1465->1466 1467 efa353 1465->1467 1468 efa33f 1466->1468 1467->1466 1493 efaa5c 1494 efaa9e GetFileType 1493->1494 1496 efab00 1494->1496 1473 efae52 1474 efae78 ShellExecuteExW 1473->1474 1476 efae94 1474->1476 1497 efa2d2 1500 efa2d6 SetErrorMode 1497->1500 1499 efa33f 1500->1499 1509 efa612 1510 efa646 CreateMutexW 1509->1510 1512 efa6c1 1510->1512 1501 efae30 1503 efae52 ShellExecuteExW 1501->1503 1504 efae94 1503->1504 1513 efa710 1514 efa74e FindCloseChangeNotification 1513->1514 1516 efa788 1514->1516

                  Callgraph

                  • Executed
                  • Not Executed
                  • Opacity -> Relevance
                  • Disassembly available
                  callgraph 0 Function_04DB06DB 1 Function_01070606 2 Function_04DB11DE 3 Function_01070001 4 Function_04DB08D3 5 Function_04DB0BD0 6 Function_00EFA2FE 7 Function_01070710 8 Function_00EFA1F4 9 Function_00EF23F4 10 Function_04DB07C7 11 Function_00EF21F0 12 Function_00EFA7C7 13 Function_00EFA8C6 14 Function_04DB0AF6 15 Function_00EFACD7 16 Function_04DB10E3 17 Function_0107003E 18 Function_00EFAED3 19 Function_00EFA2D2 20 Function_00EF20D0 21 Function_00EFADAA 22 Function_01070740 23 Function_04DB0392 23->1 23->5 23->23 53 Function_04DB0278 23->53 62 Function_04DB0268 23->62 82 Function_010705E1 23->82 24 Function_00EFA8A4 25 Function_01070648 33 Function_0107066A 25->33 26 Function_00EF23BC 27 Function_00EF22B4 28 Function_04DB0080 29 Function_00EF268E 30 Function_00EFA486 31 Function_00EFA986 32 Function_0107026D 34 Function_00EFAD80 35 Function_00EFAA9E 36 Function_01070074 37 Function_00EFA09A 38 Function_00EF2098 39 Function_0107067F 40 Function_00EF2194 41 Function_00EFA392 42 Function_00EFA56E 43 Function_04DB0A5A 44 Function_00EF2364 45 Function_00EF2264 46 Function_00EFA462 47 Function_00EFA361 48 Function_04DB0F4E 49 Function_00EFA078 50 Function_00EFA172 51 Function_00EFA94F 52 Function_00EFA74E 53->1 53->5 53->23 53->53 53->62 53->82 54 Function_00EFA646 55 Function_00EF2044 56 Function_04DB0E77 57 Function_00EFA540 58 Function_00EFA25E 59 Function_00EFAB5E 60 Function_00EFA45C 61 Function_00EFAA5C 62->1 62->5 62->23 62->53 62->62 62->82 63 Function_04DB096F 64 Function_00EF2458 65 Function_00EFAE52 66 Function_00EFA02E 67 Function_00EFAC2E 68 Function_00EF262D 69 Function_00EFAB2C 70 Function_04DB121F 71 Function_010705C1 72 Function_00EFA120 73 Function_00EFA23C 74 Function_00EF213C 75 Function_010705D1 76 Function_04DB0007 77 Function_00EF2531 78 Function_00EFAE30 79 Function_00EF2430 80 Function_00EFAC0E 81 Function_04DB0B3E 83 Function_00EFAF06 84 Function_00EFA005 85 Function_00EF2005 86 Function_00EFAC04 87 Function_00EFA81E 88 Function_00EFAE1D 89 Function_04DB0429 89->1 89->5 89->23 89->53 89->62 89->82 90 Function_04DB0727 91 Function_04DB1027 92 Function_00EFAD12 93 Function_00EFA612 94 Function_00EFA710 95 Function_00EF2310 96 Function_04DB0E24

                  Executed Functions

                  Function 00EFA94F Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 efa94f-efa9de 4 efa9e3-efa9ef 0->4 5 efa9e0 0->5 6 efa9f4-efa9fd 4->6 7 efa9f1 4->7 5->4 8 efa9ff-efaa23 CreateFileW 6->8 9 efaa4e-efaa53 6->9 7->6 12 efaa55-efaa5a 8->12 13 efaa25-efaa4b 8->13 9->8 12->13
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00EFAA05
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 1bf6398484cab0381e80b6e938130291da353c54cdc984335c3a4d6a96159a67
                  • Instruction ID: 0c7afb73855011ffae75e1edc185bf18da96f595c5235c40e3669b85ee24f457
                  • Opcode Fuzzy Hash: 1bf6398484cab0381e80b6e938130291da353c54cdc984335c3a4d6a96159a67
                  • Instruction Fuzzy Hash: 4C31D2B15053806FE722CB25DD44B62BFF8EF06314F0888AAE9848B652D275E909CB71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 16 efa612-efa695 20 efa69a-efa6a3 16->20 21 efa697 16->21 22 efa6a8-efa6b1 20->22 23 efa6a5 20->23 21->20 24 efa6b3-efa6d7 CreateMutexW 22->24 25 efa702-efa707 22->25 23->22 28 efa709-efa70e 24->28 29 efa6d9-efa6ff 24->29 25->24 28->29
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 00EFA6B9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 4c069306af840ea1880aa83a2bfdf2a5b0f4f421205e8023d556554a83f64540
                  • Instruction ID: ab98a299f8a650482a53dca89895446fe96789637c0db8869cd7416ddd543d4d
                  • Opcode Fuzzy Hash: 4c069306af840ea1880aa83a2bfdf2a5b0f4f421205e8023d556554a83f64540
                  • Instruction Fuzzy Hash: 5C31B7B15093845FE711CB25DC45B56BFF8EF06314F0884AAE984CF692D375E909C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 32 efa361-efa3cf 35 efa3d4-efa3dd 32->35 36 efa3d1 32->36 37 efa3df 35->37 38 efa3e2-efa3e8 35->38 36->35 37->38 39 efa3ed-efa404 38->39 40 efa3ea 38->40 42 efa43b-efa440 39->42 43 efa406-efa419 RegQueryValueExW 39->43 40->39 42->43 44 efa41b-efa438 43->44 45 efa442-efa447 43->45 45->44
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFA40C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 60c495bf4ff542b13985431e2d4091b4a61997c34bfa73398d0b385ff033cfc1
                  • Instruction ID: f2c90d96b9f19df980e25f0958a79f55e6c576b4b353233524065cbf8298f889
                  • Opcode Fuzzy Hash: 60c495bf4ff542b13985431e2d4091b4a61997c34bfa73398d0b385ff033cfc1
                  • Instruction Fuzzy Hash: 8431B4B15053845FD721CF15CC84FA6BBF8EF05714F0884AAE945DB652D364E909CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 49 efa462-efa4c3 52 efa4c8-efa4d4 49->52 53 efa4c5 49->53 54 efa4d9-efa4f0 52->54 55 efa4d6 52->55 53->52 57 efa527-efa52c 54->57 58 efa4f2-efa505 RegSetValueExW 54->58 55->54 57->58 59 efa52e-efa533 58->59 60 efa507-efa524 58->60 59->60
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFA4F8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 9e7f8455095d5845d157619e6fb1927abdb1976ca5af7df5045f5fcd54dae09d
                  • Instruction ID: c636e9b0fdff210a530f57655bdfe32f1695a9a0c835d1a79f2fd9c0dae6dc07
                  • Opcode Fuzzy Hash: 9e7f8455095d5845d157619e6fb1927abdb1976ca5af7df5045f5fcd54dae09d
                  • Instruction Fuzzy Hash: 1921C4B25043846FD7228F51DC44FA7BFF8DF46714F08849AE985DB652C264E809C772
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA986 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 64 efa986-efa9de 67 efa9e3-efa9ef 64->67 68 efa9e0 64->68 69 efa9f4-efa9fd 67->69 70 efa9f1 67->70 68->67 71 efa9ff-efaa07 CreateFileW 69->71 72 efaa4e-efaa53 69->72 70->69 73 efaa0d-efaa23 71->73 72->71 75 efaa55-efaa5a 73->75 76 efaa25-efaa4b 73->76 75->76
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00EFAA05
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 1ffccda2bb54d08eb577ba7a4e850431b772f29277071c8a2234583690dbcaa7
                  • Instruction ID: c0e0510da8dae60cb9b8735b92950a511f57923699bac5514c5db83db2477c43
                  • Opcode Fuzzy Hash: 1ffccda2bb54d08eb577ba7a4e850431b772f29277071c8a2234583690dbcaa7
                  • Instruction Fuzzy Hash: 6321B571500244AFE721DF65DD45BA6FBE8EF04314F08887DEA499B651D375E408CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFAA5C Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 79 efaa5c-efaae9 83 efab1e-efab23 79->83 84 efaaeb-efaafe GetFileType 79->84 83->84 85 efab25-efab2a 84->85 86 efab00-efab1d 84->86 85->86
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFAAF1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 8d18c756bb16710e86741a6f5c992b7978f50cd1f515f9e1f3110d899f97f2d5
                  • Instruction ID: 20a65538e7aca8db619e85cc4fed4aa9e68a7175534aac50a39159f59b0774b5
                  • Opcode Fuzzy Hash: 8d18c756bb16710e86741a6f5c992b7978f50cd1f515f9e1f3110d899f97f2d5
                  • Instruction Fuzzy Hash: F92129B55087806FE7228B25DC44BA3BFBCEF46724F0884DAE9858B653D264A909C771
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 90 efa646-efa695 93 efa69a-efa6a3 90->93 94 efa697 90->94 95 efa6a8-efa6b1 93->95 96 efa6a5 93->96 94->93 97 efa6b3-efa6bb CreateMutexW 95->97 98 efa702-efa707 95->98 96->95 100 efa6c1-efa6d7 97->100 98->97 101 efa709-efa70e 100->101 102 efa6d9-efa6ff 100->102 101->102
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 00EFA6B9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 7d3f183236d9e81b21727aaf8ace6d8b005cb78f7056a3b8fac9a05230d41274
                  • Instruction ID: 246aac822600af788ef5e5a587dc746d3ae1eb0e3993b4e9f7964a45f0c74340
                  • Opcode Fuzzy Hash: 7d3f183236d9e81b21727aaf8ace6d8b005cb78f7056a3b8fac9a05230d41274
                  • Instruction Fuzzy Hash: F721A1B16002449FE720DF25DD45BA6FBE8EF04314F08C87AEA49DF641D775E905CA62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFAC0E Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 105 efac0e-efac85 109 efacc9-efacce 105->109 110 efac87-efaca7 WriteFile 105->110 109->110 113 efaca9-efacc6 110->113 114 efacd0-efacd5 110->114 114->113
                  APIs
                  • WriteFile.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFAC8D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 26b3bcea7d31e94c1a864c64b3f80a35625b488fabd07c403b75954ce0694ce5
                  • Instruction ID: 8e4905465b8d50f5a5688d1f171023ee3d58aa6744a613acf2500b9dbd76901f
                  • Opcode Fuzzy Hash: 26b3bcea7d31e94c1a864c64b3f80a35625b488fabd07c403b75954ce0694ce5
                  • Instruction Fuzzy Hash: 8921F671405380AFD722CF55DD44FA7FFB8EF45314F0888AAE9459B652C235A909CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 117 efa392-efa3cf 119 efa3d4-efa3dd 117->119 120 efa3d1 117->120 121 efa3df 119->121 122 efa3e2-efa3e8 119->122 120->119 121->122 123 efa3ed-efa404 122->123 124 efa3ea 122->124 126 efa43b-efa440 123->126 127 efa406-efa419 RegQueryValueExW 123->127 124->123 126->127 128 efa41b-efa438 127->128 129 efa442-efa447 127->129 129->128
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFA40C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 4a1bf0ffc0a58d1a9aca7e9639e222c61bc31bee8b81e275145c51a4f54d4d7d
                  • Instruction ID: 06ed4f55e1a6225b81c187819ffadbeed7dcdcd43bca476d6094d7098fabab06
                  • Opcode Fuzzy Hash: 4a1bf0ffc0a58d1a9aca7e9639e222c61bc31bee8b81e275145c51a4f54d4d7d
                  • Instruction Fuzzy Hash: 58216DB56002089FE721CE15CD84FA6B7E8EF04714F08C46AEA599BA51D764E909CA72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 133 efa710-efa778 135 efa77a-efa782 FindCloseChangeNotification 133->135 136 efa7b9-efa7be 133->136 137 efa788-efa79a 135->137 136->135 139 efa79c-efa7b8 137->139 140 efa7c0-efa7c5 137->140 140->139
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00EFA780
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 53a80b7102ef66b670c79939d0b28f61ac9b3d61400f1b559a68ccbc920e590c
                  • Instruction ID: 29d96ca5b0930d6ebf2698a6072d97305b45bb37d827d2e3134829a3760ca294
                  • Opcode Fuzzy Hash: 53a80b7102ef66b670c79939d0b28f61ac9b3d61400f1b559a68ccbc920e590c
                  • Instruction Fuzzy Hash: 5B2105B55093809FD7128F25DD85B52BFB4EF02324F0984EBDD858F693D235A905CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 142 efa486-efa4c3 144 efa4c8-efa4d4 142->144 145 efa4c5 142->145 146 efa4d9-efa4f0 144->146 147 efa4d6 144->147 145->144 149 efa527-efa52c 146->149 150 efa4f2-efa505 RegSetValueExW 146->150 147->146 149->150 151 efa52e-efa533 150->151 152 efa507-efa524 150->152 151->152
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFA4F8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 47ef4bc5716392e92c92017e37fd851c3847b676baa875db2b192c407f8cf812
                  • Instruction ID: e62074d0e60608576ef03a1e46f1f348041115726efb143ce79b81528c2b66dc
                  • Opcode Fuzzy Hash: 47ef4bc5716392e92c92017e37fd851c3847b676baa875db2b192c407f8cf812
                  • Instruction Fuzzy Hash: 8C11B1B6500304AFE7318E15DD45FA7BBECEF04714F08846AEE499AA41D774E809CA72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA2D2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 156 efa2d2-efa2d4 157 efa2de-efa328 156->157 158 efa2d6-efa2dd 156->158 160 efa32a-efa33d SetErrorMode 157->160 161 efa353-efa358 157->161 158->157 162 efa33f-efa352 160->162 163 efa35a-efa35f 160->163 161->160 163->162
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 00EFA330
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: e61d5d4e479aa1c00ff8ddec0b6bd12dd62832de88287c7a04af8a7c215b104a
                  • Instruction ID: 84f5fef48bffac17c453343d09eff9d5c84cf9efe7c0245e71f60bd33ba2a741
                  • Opcode Fuzzy Hash: e61d5d4e479aa1c00ff8ddec0b6bd12dd62832de88287c7a04af8a7c215b104a
                  • Instruction Fuzzy Hash: 39217F7140E3C45FD7138B25DC54A62BFB49F07224F0D80DBDD848F2A3C269A808DB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFAC2E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 166 efac2e-efac85 169 efacc9-efacce 166->169 170 efac87-efac8f WriteFile 166->170 169->170 172 efac95-efaca7 170->172 173 efaca9-efacc6 172->173 174 efacd0-efacd5 172->174 174->173
                  APIs
                  • WriteFile.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFAC8D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: b21c43c921531341e974ecbd4cda5dc7f88acdad641f518434b2755d9fa2d2b0
                  • Instruction ID: eec0580f55beb0d8ad314936c463ec32845d4ce12f0d88a645c937783c829aad
                  • Opcode Fuzzy Hash: b21c43c921531341e974ecbd4cda5dc7f88acdad641f518434b2755d9fa2d2b0
                  • Instruction Fuzzy Hash: 7811E271500204AFEB218F55DD44FA6FBA8EF04714F08886AEA499AA41C375A5098BB2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFAE30 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 177 efae30-efae76 179 efae7b-efae84 177->179 180 efae78 177->180 181 efae86-efaea6 ShellExecuteExW 179->181 182 efaec5-efaeca 179->182 180->179 185 efaecc-efaed1 181->185 186 efaea8-efaec4 181->186 182->181 185->186
                  APIs
                  • ShellExecuteExW.SHELL32(?), ref: 00EFAE8C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: ExecuteShell
                  • String ID:
                  • API String ID: 587946157-0
                  • Opcode ID: 3ed4d720e8f8c1e77ebe6a38e609d7f343271f1c66b559dd59d6a3a02d9724eb
                  • Instruction ID: e3287530cbfff9dde9477e894e088f4104239b546292e524fd64b3f0a6c26241
                  • Opcode Fuzzy Hash: 3ed4d720e8f8c1e77ebe6a38e609d7f343271f1c66b559dd59d6a3a02d9724eb
                  • Instruction Fuzzy Hash: D61190715093849FD712CF25DC84B62BFB89F46224F0884EAED89CF652D274E948CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFAA9E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 188 efaa9e-efaae9 191 efab1e-efab23 188->191 192 efaaeb-efaafe GetFileType 188->192 191->192 193 efab25-efab2a 192->193 194 efab00-efab1d 192->194 193->194
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,26E409AD,00000000,00000000,00000000,00000000), ref: 00EFAAF1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: ffa31bedf2622e8deee4933cd7b7b2bb8e11dae840ce2162756777d06cdcd2fa
                  • Instruction ID: 53e7f5f28712d1c2356a889dc6ebd9020f4c498eaa056700e9200fa0dbb42a59
                  • Opcode Fuzzy Hash: ffa31bedf2622e8deee4933cd7b7b2bb8e11dae840ce2162756777d06cdcd2fa
                  • Instruction Fuzzy Hash: 7A010471500204AEE7208B15DD84BB6B7A8DF44724F08C4B6EE089FA41D678A808CAA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFAE52 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteExW.SHELL32(?), ref: 00EFAE8C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: ExecuteShell
                  • String ID:
                  • API String ID: 587946157-0
                  • Opcode ID: dbd9f1c2ead51ba23b4d8f8c605be12e29d975d898e29dc304d659f12c3f99d9
                  • Instruction ID: eaf1e7d6c4090516b2dcde9d767ff469192dee6b115466bfc81eaeca9c60f2c0
                  • Opcode Fuzzy Hash: dbd9f1c2ead51ba23b4d8f8c605be12e29d975d898e29dc304d659f12c3f99d9
                  • Instruction Fuzzy Hash: 600180716002448FEB20CF29D9847A6BBE8DF44724F0CC4BADE49DFA45D679E944CA62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00EFA780
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 26466606b972c698f43229d92ff184066f2f5cea761542e19c665fa6ed7216bf
                  • Instruction ID: 70719a97bb512e939a92a419b5dddd83bc0d747d973b6ea12b38094967256667
                  • Opcode Fuzzy Hash: 26466606b972c698f43229d92ff184066f2f5cea761542e19c665fa6ed7216bf
                  • Instruction Fuzzy Hash: 1A01B1B59002448FEB209F15D984BA6FBA4DF04324F08C4BBDD499FA86D679E404CAA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EFA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 00EFA330
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748675180.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_efa000_YKTNuK117e.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: f54f6d2ddda7eb4322392ca87cfe95301d1d6ca37127c04c067f8bb5fffb20d4
                  • Instruction ID: 870389390da0091c056450d7b167e5b3b885b1dfcb2a8414ad7193977bc5f8fa
                  • Opcode Fuzzy Hash: f54f6d2ddda7eb4322392ca87cfe95301d1d6ca37127c04c067f8bb5fffb20d4
                  • Instruction Fuzzy Hash: 40F08C759052448FDB209F09D9847A5FBE0EF04724F0CC4AADE495FB52D2B9A808CAA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0278 Relevance: .5, Instructions: 523COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9019144269996555b6beb138ca6d6c5ea736e35b34a0c6de117b4c538b93a225
                  • Instruction ID: ffc30a706e03867bd28850a0ebec6632a330a9d60db331f0894295ae1724bb78
                  • Opcode Fuzzy Hash: 9019144269996555b6beb138ca6d6c5ea736e35b34a0c6de117b4c538b93a225
                  • Instruction Fuzzy Hash: 44324830A01218CFDB24EF75D854BADB7B2BF48304F1084A9D44AAB3A5DB35AD85CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0BD0 Relevance: .3, Instructions: 294COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 06124f87966def5ab79ef6971af3f212ff7a1936cfc3bbbb9b2140f633408fc0
                  • Instruction ID: d1fca52572cc24c6620a9edd277f3edcd881280d781c999b0628c4d09dcf62f1
                  • Opcode Fuzzy Hash: 06124f87966def5ab79ef6971af3f212ff7a1936cfc3bbbb9b2140f633408fc0
                  • Instruction Fuzzy Hash: 56D11534A01218CFDB24EF75D891BADB7B2BF88304F1045A9D80AA7395DB35AD85CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0268 Relevance: .2, Instructions: 192COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 374663f7eeb7d17b05770f724d0468cce310eb8fb8af2d21f278d45c421a94bc
                  • Instruction ID: 10a57b8810d25de3e637de65acb5087dd3d10c95c1bef531aa516cbdb9623d61
                  • Opcode Fuzzy Hash: 374663f7eeb7d17b05770f724d0468cce310eb8fb8af2d21f278d45c421a94bc
                  • Instruction Fuzzy Hash: 8F815930A01218CFDB24EF75C844BADB7B2BF49305F1084A9D44AAB391DB399E85CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0392 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f82adc6424d73020bf065bf16674185d20b5ca0f9282db042da4b99e878336f8
                  • Instruction ID: 6ddca9c9ca605ada3f9a9aa7cf5f83592b8febc73d2f22d9013be7aee52191b3
                  • Opcode Fuzzy Hash: f82adc6424d73020bf065bf16674185d20b5ca0f9282db042da4b99e878336f8
                  • Instruction Fuzzy Hash: 5B612830A01218CFDB24EF75C944BADB7B2BF44308F1084A9D14AAB295DB799E85DF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0429 Relevance: .1, Instructions: 132COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d5cb9ea97fab0ee63268181f7f751f352dc28125ed62778013276023c73d2fd9
                  • Instruction ID: 677d05837567d797d7a9d5995425e93715b6a7dcb7bae3fbb3798ad55d8add10
                  • Opcode Fuzzy Hash: d5cb9ea97fab0ee63268181f7f751f352dc28125ed62778013276023c73d2fd9
                  • Instruction Fuzzy Hash: 40512830A01218CFDB64EF75C940BADB7B2AF45304F5084A9D14AAB391DB399E89DF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0080 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09ff2e8143a30f4c4f56c9f545b6197e3a510f07ac215f30931c596d2edc43a9
                  • Instruction ID: bc5a546d12b6b6a49643384e20a4e145f5c6f81109e0c9eca81a2214ccc7ccca
                  • Opcode Fuzzy Hash: 09ff2e8143a30f4c4f56c9f545b6197e3a510f07ac215f30931c596d2edc43a9
                  • Instruction Fuzzy Hash: 94413430106646CFC724FF3AE981A8977F6AF9024D704883DD104CB66EDB385D49DB82
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04DB0007 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1749044875.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4db0000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 653418b70eecb55ac48dbd17abc6d26308c7f886c6600a410aff7381e149f260
                  • Instruction ID: 35ccc42d0f39b34028810e4431ca9bf70bfb5d2f2dfd6007ee5228f54406bcb1
                  • Opcode Fuzzy Hash: 653418b70eecb55ac48dbd17abc6d26308c7f886c6600a410aff7381e149f260
                  • Instruction Fuzzy Hash: 7901369659F7C01FD30312701CB56953F74AA53106B5E41CBC8C0CB0E3A50D5A1FA332
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010705E1 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748837354.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1070000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9dc6432238e7a188080eac0936d97c1feb6cd90b69a09fb7dd29cbc27b711bd4
                  • Instruction ID: d5d5bf73fbc0dad7edac06e49a4b53ebf42823fd45be2f5d6820c07f7420d88e
                  • Opcode Fuzzy Hash: 9dc6432238e7a188080eac0936d97c1feb6cd90b69a09fb7dd29cbc27b711bd4
                  • Instruction Fuzzy Hash: AE0186B65097805FD7118B05EC40862FFE8EF86620709C4AFE9498BA12D225A909CBB2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01070606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748837354.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1070000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f4834e27daf2d0c46753a53b66b9a81d1d8a5daceeac7cc6329d391420ed5f5d
                  • Instruction ID: 65242882a6fc202959b9c9254d7bd404a884f8dd3ea5f847b9a76f3e63bee343
                  • Opcode Fuzzy Hash: f4834e27daf2d0c46753a53b66b9a81d1d8a5daceeac7cc6329d391420ed5f5d
                  • Instruction Fuzzy Hash: FBE092B6A006404BD650DF0AFD81452F7D8EB88630708C47FDC0D8BB11D276B509CEA6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EF23F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748663884.0000000000EF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ef2000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8782e5d579a877e392218bed73115e739092edfc357638f6131194ff4412592d
                  • Instruction ID: a774835cdf9dc99bec3dbae96f81ab2d4ad67043c932ed0b5feb12624e6d6365
                  • Opcode Fuzzy Hash: 8782e5d579a877e392218bed73115e739092edfc357638f6131194ff4412592d
                  • Instruction Fuzzy Hash: 74D02E79200AC04FD3238A0CC2A4BA537D4AB40708F0A04FEA800CB763C7A8D980E200
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00EF23BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748663884.0000000000EF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ef2000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 05b41370e8d6a38b5e44d753c423e6c0080fdba72e824027b6a825d8302edc28
                  • Instruction ID: 68af568591e1c001fb2b678a75d3ea8a48343f92dd264341abece850ee03cea7
                  • Opcode Fuzzy Hash: 05b41370e8d6a38b5e44d753c423e6c0080fdba72e824027b6a825d8302edc28
                  • Instruction Fuzzy Hash: 17D05E742016864BC725DE0CC6D4F6977D4AB40718F0644ECAD109B762C7B8D8C4DA00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00EF268E Relevance: .4, Instructions: 430COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1748663884.0000000000EF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ef2000_YKTNuK117e.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0317c3f0e4ea66a61d0c7a994c95ba1455f35460a6b3cde5cc91617376edcd65
                  • Instruction ID: 3fb8fdfcd1999ab7395fd88dd789e3f926f5ec0112244f779619b9529413e330
                  • Opcode Fuzzy Hash: 0317c3f0e4ea66a61d0c7a994c95ba1455f35460a6b3cde5cc91617376edcd65
                  • Instruction Fuzzy Hash: 8402656140E7C15FD71B9B3089A6455BFB4AE9321470E9ACFC9C08F1B7D3698A09C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:18.1%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:6.2%
                  Total number of Nodes:112
                  Total number of Limit Nodes:6
                  execution_graph 6612 1051b46 6613 1051ba6 6612->6613 6614 1051b7b NtQuerySystemInformation 6612->6614 6613->6614 6615 1051b90 6614->6615 6616 10510c6 6618 10510fe MapViewOfFile 6616->6618 6619 105114d 6618->6619 6540 9fa09a 6541 9fa0cf send 6540->6541 6542 9fa107 6540->6542 6543 9fa0dd 6541->6543 6542->6541 6620 9fb65a 6623 9fb683 LookupPrivilegeValueW 6620->6623 6622 9fb6aa 6623->6622 6544 1051a82 6545 1051aae K32EnumProcesses 6544->6545 6547 1051aca 6545->6547 6548 1050882 6550 10508b7 ReadFile 6548->6550 6551 10508e9 6550->6551 6624 1052042 6626 105207d LoadLibraryA 6624->6626 6627 10520ba 6626->6627 6552 9fa392 6555 9fa3c7 RegQueryValueExW 6552->6555 6554 9fa41b 6555->6554 6556 105170a 6557 105173f WSAConnect 6556->6557 6559 105175e 6557->6559 6560 105320a 6562 105323f SetProcessWorkingSetSize 6560->6562 6563 105326b 6562->6563 6631 9fa9ce 6634 9faa09 SendMessageTimeoutA 6631->6634 6633 9faa51 6634->6633 6635 9fa74e 6636 9fa77a FindCloseChangeNotification 6635->6636 6638 9fa7b9 6635->6638 6637 9fa788 6636->6637 6638->6636 6564 1050f16 6565 1050f4e ConvertStringSecurityDescriptorToSecurityDescriptorW 6564->6565 6567 1050f8f 6565->6567 6639 1053052 6640 105307b select 6639->6640 6642 10530b0 6640->6642 6568 9fa486 6569 9fa4bb RegSetValueExW 6568->6569 6571 9fa507 6569->6571 6643 9fa8c6 6645 9fa8fe RegOpenKeyExW 6643->6645 6646 9fa954 6645->6646 6647 9fa646 6648 9fa67e CreateMutexW 6647->6648 6650 9fa6c1 6648->6650 6572 e313f8 KiUserExceptionDispatcher 6573 e3142c 6572->6573 6574 105019e 6575 10501ee MkParseDisplayName 6574->6575 6576 10501fc 6575->6576 6577 9fb002 6579 9fb037 GetFileType 6577->6579 6580 9fb064 6579->6580 6655 9fa2fe 6656 9fa32a SetErrorMode 6655->6656 6657 9fa353 6655->6657 6658 9fa33f 6656->6658 6657->6656 6581 1053126 6583 105315b GetProcessWorkingSetSize 6581->6583 6584 1053187 6583->6584 6585 1052da6 6586 1052dde RegCreateKeyExW 6585->6586 6588 1052e50 6586->6588 6589 9facba 6590 9fad1c 6589->6590 6591 9face6 OleInitialize 6589->6591 6590->6591 6592 9facf4 6591->6592 6659 9fb876 6660 9fb8a5 AdjustTokenPrivileges 6659->6660 6662 9fb8c7 6660->6662 6663 10533ee 6664 105343e RegEnumValueW 6663->6664 6665 105344c 6664->6665 6666 9fa172 EnumWindows 6667 9fa1c4 6666->6667 6668 105136a 6670 105139f shutdown 6668->6670 6671 10513c8 6670->6671 6672 1050aea 6675 1050b22 WSASocketW 6672->6675 6674 1050b5e 6675->6674 6597 1051db6 6598 1051e06 GetVolumeInformationA 6597->6598 6599 1051e0e 6598->6599 6676 1052f76 6679 1052fab ioctlsocket 6676->6679 6678 1052fd7 6679->6678 6600 9fbdaa 6601 9fbde8 DuplicateHandle 6600->6601 6602 9fbe20 6600->6602 6603 9fbdf6 6601->6603 6602->6601 6680 9fbaea 6681 9fbb1f GetExitCodeProcess 6680->6681 6683 9fbb48 6681->6683 6684 9faeea 6685 9faf22 CreateFileW 6684->6685 6687 9faf71 6685->6687 6604 9fae22 6606 9fae4b CopyFileW 6604->6606 6607 9fae72 6606->6607 6608 105153a 6609 105156f GetProcessTimes 6608->6609 6611 10515a1 6609->6611

                  Executed Functions

                  Function 009FB83F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 009FB8BF
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: AdjustPrivilegesToken
                  • String ID:
                  • API String ID: 2874748243-0
                  • Opcode ID: 713cdd6b2ec59d15435dd6d6865abaf6a579b31d7e5e3d2d4543b1aa8c4c91b5
                  • Instruction ID: 762762833fc2fb24c751f0058b02b4cfdc691de011580be316ce7106f7d7ac67
                  • Opcode Fuzzy Hash: 713cdd6b2ec59d15435dd6d6865abaf6a579b31d7e5e3d2d4543b1aa8c4c91b5
                  • Instruction Fuzzy Hash: AC21D1755093849FEB228F25DC44B62BFF8EF16310F0884DAE9858B563D371A918DB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01051B0B Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtQuerySystemInformation.NTDLL ref: 01051B81
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: InformationQuerySystem
                  • String ID:
                  • API String ID: 3562636166-0
                  • Opcode ID: b6533f1ec4f611ac1e7d84a8bda7eea6782fc90d333e1b14a2a0d1b41b5a5532
                  • Instruction ID: 4d220b4d80820efab3fb10b9868781d355c322db4a82d0cb56d7289a07f21b69
                  • Opcode Fuzzy Hash: b6533f1ec4f611ac1e7d84a8bda7eea6782fc90d333e1b14a2a0d1b41b5a5532
                  • Instruction Fuzzy Hash: 0921DE754093C0AFDB238B21DC41A52FFB0EF16314F0984CBE9844B5A3E275A909CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FB876 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 009FB8BF
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: AdjustPrivilegesToken
                  • String ID:
                  • API String ID: 2874748243-0
                  • Opcode ID: ea122147762b5cc755f3ef8386a80b59aff99247e452c16ecb388786d82307f7
                  • Instruction ID: 77a4d23cc920a2f2fd849c09a664cb4a43a1a9316c1e4a98f50c12bf8cd800f3
                  • Opcode Fuzzy Hash: ea122147762b5cc755f3ef8386a80b59aff99247e452c16ecb388786d82307f7
                  • Instruction Fuzzy Hash: 091186755003449FEB20CF55D944B66FBE8EF44320F08C86ADE458BA51D775E414DF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FBBA4 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtSetInformationProcess.NTDLL ref: 009FBC01
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: InformationProcess
                  • String ID:
                  • API String ID: 1801817001-0
                  • Opcode ID: 3021e29e0c49b709ae81db787f3590d2acb210fe83ec09a24eb1e9eb8e91e390
                  • Instruction ID: 1f6b423f3b8850dccfd7c0f6ed45481947c551dd81d39ac3c592bdf32ce6e9e8
                  • Opcode Fuzzy Hash: 3021e29e0c49b709ae81db787f3590d2acb210fe83ec09a24eb1e9eb8e91e390
                  • Instruction Fuzzy Hash: D111C271409384AFDB228F15DC44E62FFB4EF16320F09C49EEE854B663D275A918CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FBBC6 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtSetInformationProcess.NTDLL ref: 009FBC01
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: InformationProcess
                  • String ID:
                  • API String ID: 1801817001-0
                  • Opcode ID: 7cb9ac9e86171da4861c93aa3dd8c1bd47937c435fa3edcd0f3c93615a22b567
                  • Instruction ID: 6876e3f1641bec1f675f1cc0152ec45f34245f8472347d6369a9d426a7c19987
                  • Opcode Fuzzy Hash: 7cb9ac9e86171da4861c93aa3dd8c1bd47937c435fa3edcd0f3c93615a22b567
                  • Instruction Fuzzy Hash: 4201A2755002089FDB208F19D984B66FBE4EF14720F08C8AADE850BA52D779E458DF72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01051B46 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtQuerySystemInformation.NTDLL ref: 01051B81
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: InformationQuerySystem
                  • String ID:
                  • API String ID: 3562636166-0
                  • Opcode ID: 12926ebc99e6c37c154a870410277502e9ab81a8f00ee9bbc45ecc528078cc66
                  • Instruction ID: bd0d9871ca9b3527de9774c1eb7d2f84a5e97e3a4fc7744898c8abbda87a18b5
                  • Opcode Fuzzy Hash: 12926ebc99e6c37c154a870410277502e9ab81a8f00ee9bbc45ecc528078cc66
                  • Instruction Fuzzy Hash: 5B01A2358002049FEB618F19D984B66FBF0EF44720F08C4AADD850BA52E375E418CF62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01052D75 Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 512 1052d75-1052dfe 516 1052e00 512->516 517 1052e03-1052e0f 512->517 516->517 518 1052e14-1052e1d 517->518 519 1052e11 517->519 520 1052e22-1052e39 518->520 521 1052e1f 518->521 519->518 523 1052e7b-1052e80 520->523 524 1052e3b-1052e4e RegCreateKeyExW 520->524 521->520 523->524 525 1052e50-1052e78 524->525 526 1052e82-1052e87 524->526 526->525
                  APIs
                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 01052E41
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: f4d681ea1585d0b379993652329824c66da8bfccd62c530ea40aa956cd01b93a
                  • Instruction ID: f260290e3dd703ba04190bbbf277fb24e2d6dcb9de13be9f5ab49e3bad79792a
                  • Opcode Fuzzy Hash: f4d681ea1585d0b379993652329824c66da8bfccd62c530ea40aa956cd01b93a
                  • Instruction Fuzzy Hash: DC31AF72504344AFE7228F65CC44FA7BBFCEF15310F08899AE985CB662D324E909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01051D2C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 531 1051d2c-1051e37 GetVolumeInformationA
                  APIs
                  • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 01051E06
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: InformationVolume
                  • String ID:
                  • API String ID: 2039140958-0
                  • Opcode ID: 69ceff3a56d410a29c2f6a57ce74f62b11388f83e331a2dd18f6851f52fc4b5c
                  • Instruction ID: 84aefd1286dbad5278f7cc5bed3163bf37008d691314e75f7eb20df1134b326e
                  • Opcode Fuzzy Hash: 69ceff3a56d410a29c2f6a57ce74f62b11388f83e331a2dd18f6851f52fc4b5c
                  • Instruction Fuzzy Hash: 17316B7150E3C05FD3138B358C65A61BFB8AF47210B0E85DBD884CF5A3D629A949C7B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010509D7 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 537 10509d7-10509f7 538 1050a19-1050a4b 537->538 539 10509f9-1050a18 537->539 543 1050a4e-1050aa6 RegQueryValueExW 538->543 539->538 545 1050aac-1050ac2 543->545
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 01050A9E
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: c9e793bf354b57836f91ce19802c24222722fcec45a665811cd8d3cb6026cdfa
                  • Instruction ID: 3b0f9c1d5dadaf582ac2875c1b2040928af5df379608a8fa0391775ad2a9ed01
                  • Opcode Fuzzy Hash: c9e793bf354b57836f91ce19802c24222722fcec45a665811cd8d3cb6026cdfa
                  • Instruction Fuzzy Hash: 66318D6510E3C06FD3138B258C61A62BFB4EF47610F0E45DBE8C48B6A3D2296909C7B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 546 9fa612-9fa695 550 9fa69a-9fa6a3 546->550 551 9fa697 546->551 552 9fa6a8-9fa6b1 550->552 553 9fa6a5 550->553 551->550 554 9fa6b3-9fa6d7 CreateMutexW 552->554 555 9fa702-9fa707 552->555 553->552 558 9fa709-9fa70e 554->558 559 9fa6d9-9fa6ff 554->559 555->554 558->559
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 009FA6B9
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 3aecdd8747aa5ab56a0863f243a03e97c04c4c598a864828c90100201c3915a6
                  • Instruction ID: 8e574fec3cd18a11c194a1af61108037951df2bd3ad931e26543da062a201b5b
                  • Opcode Fuzzy Hash: 3aecdd8747aa5ab56a0863f243a03e97c04c4c598a864828c90100201c3915a6
                  • Instruction Fuzzy Hash: 5131B3B15093845FE722CB25DC45B96BFF8EF06310F08889AE984CB292D375A909C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050EF0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 562 1050ef0-1050f71 566 1050f76-1050f7f 562->566 567 1050f73 562->567 568 1050fd7-1050fdc 566->568 569 1050f81-1050f89 ConvertStringSecurityDescriptorToSecurityDescriptorW 566->569 567->566 568->569 571 1050f8f-1050fa1 569->571 572 1050fa3-1050fd4 571->572 573 1050fde-1050fe3 571->573 573->572
                  APIs
                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 01050F87
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: DescriptorSecurity$ConvertString
                  • String ID:
                  • API String ID: 3907675253-0
                  • Opcode ID: 571d1212b98daa7a0f26f4f606512de357ee84fe75374a2410e53ade8f4a7582
                  • Instruction ID: 04d37eaeb739952d969779395d9aec9d6cd7bc0b0a6949d9226eeca9a1e2b2e5
                  • Opcode Fuzzy Hash: 571d1212b98daa7a0f26f4f606512de357ee84fe75374a2410e53ade8f4a7582
                  • Instruction Fuzzy Hash: D1318472504344AFE721CB65DC45FA7BBE8EF05310F0884AAF984DBA52D274E909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010514FC Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 577 10514fc-1051591 582 1051593-105159b GetProcessTimes 577->582 583 10515de-10515e3 577->583 584 10515a1-10515b3 582->584 583->582 586 10515e5-10515ea 584->586 587 10515b5-10515db 584->587 586->587
                  APIs
                  • GetProcessTimes.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01051599
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ProcessTimes
                  • String ID:
                  • API String ID: 1995159646-0
                  • Opcode ID: 95aff226ad10451728c09e89bd9f9c9427df50c7af98dd42844f56d689ae71c1
                  • Instruction ID: 10ac94b4b572a076b7857227d267b0fa11deef9dd314eafb135e45eaf7705997
                  • Opcode Fuzzy Hash: 95aff226ad10451728c09e89bd9f9c9427df50c7af98dd42844f56d689ae71c1
                  • Instruction Fuzzy Hash: 8431F9725053805FE7228F55DC45B97BFB8EF06314F0884EAE985CB553D2359905C771
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA8A4 Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 590 9fa8a4-9fa8f8 592 9fa8fe-9fa90f 590->592 593 9fa915-9fa921 592->593 594 9fa926-9fa93d 593->594 595 9fa923 593->595 597 9fa97f-9fa984 594->597 598 9fa93f-9fa952 RegOpenKeyExW 594->598 595->594 597->598 599 9fa986-9fa98b 598->599 600 9fa954-9fa97c 598->600 599->600
                  APIs
                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 009FA945
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: e8adfb217e7880da97b2a4d089a9c769df8ff05179e45d37d4e48deeab39cf2e
                  • Instruction ID: 81cf0eb35eb6580be509858ee1b497283fe363a6fe102f77a862440fc7ef5f62
                  • Opcode Fuzzy Hash: e8adfb217e7880da97b2a4d089a9c769df8ff05179e45d37d4e48deeab39cf2e
                  • Instruction Fuzzy Hash: AC21B4B2404344AFE7218B55CC44FA7BFFCEF15720F0488AAE9858B652D264E909CB71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA98D Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 605 9fa98d-9faa41 609 9faa85-9faa8a 605->609 610 9faa43-9faa4b SendMessageTimeoutA 605->610 609->610 611 9faa51-9faa63 610->611 613 9faa8c-9faa91 611->613 614 9faa65-9faa82 611->614 613->614
                  APIs
                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 009FAA49
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: MessageSendTimeout
                  • String ID:
                  • API String ID: 1599653421-0
                  • Opcode ID: a23ae6f39104ae4fce572ac836824c13e6f27385fea57af4ceeea306bee92c1f
                  • Instruction ID: 48850664cde894ca6427ac36f1c95c85677ae0f2633d95cd03d8585827be5202
                  • Opcode Fuzzy Hash: a23ae6f39104ae4fce572ac836824c13e6f27385fea57af4ceeea306bee92c1f
                  • Instruction Fuzzy Hash: C531E8710053846FEB228F60CC45FA2FFB8EF06324F08889EE9858B553D275A90DCB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FAEC5 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 617 9faec5-9faf42 621 9faf47-9faf53 617->621 622 9faf44 617->622 623 9faf58-9faf61 621->623 624 9faf55 621->624 622->621 625 9faf63-9faf87 CreateFileW 623->625 626 9fafb2-9fafb7 623->626 624->623 629 9fafb9-9fafbe 625->629 630 9faf89-9fafaf 625->630 626->625 629->630
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 009FAF69
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: fb92bdaa2073cea5ae00eb83be6e855d742bfdf1ede629152041d0b27c52ea21
                  • Instruction ID: fc7f45d04d7342890713d7a7a93441e0d3229f0a43b7c910e3cc7853875ee52b
                  • Opcode Fuzzy Hash: fb92bdaa2073cea5ae00eb83be6e855d742bfdf1ede629152041d0b27c52ea21
                  • Instruction Fuzzy Hash: 00317EB1504344AFE721CF65DD85F62FBF8EF05310F0888AAE9898B652D375E908CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01052DA6 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 1052da6-1052dfe 636 1052e00 633->636 637 1052e03-1052e0f 633->637 636->637 638 1052e14-1052e1d 637->638 639 1052e11 637->639 640 1052e22-1052e39 638->640 641 1052e1f 638->641 639->638 643 1052e7b-1052e80 640->643 644 1052e3b-1052e4e RegCreateKeyExW 640->644 641->640 643->644 645 1052e50-1052e78 644->645 646 1052e82-1052e87 644->646 646->645
                  APIs
                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 01052E41
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 6b6e20bc154dfdb0987e7585fc08d7fc2ca2da94fe82afa49e9e53a4be76aa0e
                  • Instruction ID: 3165dea474060ca9c44e0ca8e85879c474fb3765f4b1baacce6d25e6e527adfe
                  • Opcode Fuzzy Hash: 6b6e20bc154dfdb0987e7585fc08d7fc2ca2da94fe82afa49e9e53a4be76aa0e
                  • Instruction Fuzzy Hash: 4F218D72500204AEE771CE59CD44FABBBECEF18714F04886AE985C6A52D734E9098A61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FBAAC Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  • GetExitCodeProcess.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FBB40
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CodeExitProcess
                  • String ID:
                  • API String ID: 3861947596-0
                  • Opcode ID: 1c36b2e6555a8eed35e5fdf488df000080db237ef8c649017a473e00f7d5575e
                  • Instruction ID: e46ab6cc0db5384df31308274ed212ffaef5adf10b92c2aeace21eee733bfd06
                  • Opcode Fuzzy Hash: 1c36b2e6555a8eed35e5fdf488df000080db237ef8c649017a473e00f7d5575e
                  • Instruction Fuzzy Hash: 712105B15093805FE7128F25DC45BA6BFB8EF06324F0884EBE944CF193D274A909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 651 9fa361-9fa3cf 654 9fa3d4-9fa3dd 651->654 655 9fa3d1 651->655 656 9fa3df 654->656 657 9fa3e2-9fa3e8 654->657 655->654 656->657 658 9fa3ed-9fa404 657->658 659 9fa3ea 657->659 661 9fa43b-9fa440 658->661 662 9fa406-9fa419 RegQueryValueExW 658->662 659->658 661->662 663 9fa41b-9fa438 662->663 664 9fa442-9fa447 662->664 664->663
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FA40C
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 7a361d543da0006bbeea206be1766cb2ea54a5ee3727d7f2194b7d9a3061e9c7
                  • Instruction ID: f5b00255010376057710f4aac0bc4af881c3a3bd0e0aa96381a654138feab2d9
                  • Opcode Fuzzy Hash: 7a361d543da0006bbeea206be1766cb2ea54a5ee3727d7f2194b7d9a3061e9c7
                  • Instruction Fuzzy Hash: 963161B5505744AFE722CF15CC84FA6BBFCEF06710F08849AE945CB692D364E909CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010530E8 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 0105317F
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: 58609dfbbd57e475d6432fe6c563d842db9bd3572d663c587dfcd732bf91d568
                  • Instruction ID: 92cbad489a2565b4c717ced6a70dae3583f7c19d7e972706be8021c70d2ac0bb
                  • Opcode Fuzzy Hash: 58609dfbbd57e475d6432fe6c563d842db9bd3572d663c587dfcd732bf91d568
                  • Instruction Fuzzy Hash: 6721C3715093845FE713CB24CC55B96BFB8AF46314F08C4EAE9848F193D225A909CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01053392 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumValueW.KERNELBASE(?,00000E24,?,?), ref: 0105343E
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: EnumValue
                  • String ID:
                  • API String ID: 2814608202-0
                  • Opcode ID: 54b33957a918421f33668cd909e1189166d6667d04ff034b480bc5055ac18628
                  • Instruction ID: b8a76bec8562072c538bb82bd1308cd77fcb44af5676b4252ab6d0ab31960b58
                  • Opcode Fuzzy Hash: 54b33957a918421f33668cd909e1189166d6667d04ff034b480bc5055ac18628
                  • Instruction Fuzzy Hash: 4A31736150D3C06FD3138B258C65A62BFB4DF87610F1984DBD8848B6A3D225A91AD7B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA120 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • EnumWindows.USER32(?,00000E24,?,?), ref: 009FA1BD
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: EnumWindows
                  • String ID:
                  • API String ID: 1129996299-0
                  • Opcode ID: 349e3cb05091053b50c40eef52560003db5db738f0cb63bed7569bc2a28c438b
                  • Instruction ID: 9abb53e02b3ad65f498572cf1e5e7e373961bd72a26aa8ab4a78102bf01d2868
                  • Opcode Fuzzy Hash: 349e3cb05091053b50c40eef52560003db5db738f0cb63bed7569bc2a28c438b
                  • Instruction Fuzzy Hash: 8921E27140D3C06FD3128B258C61B66BFB4EF47610F1985DBD8C4CF693D229A91ACBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01053019 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: select
                  • String ID:
                  • API String ID: 1274211008-0
                  • Opcode ID: 1448f429c83f76dd6e3ae1f03bb811ed84531116dbb6dae340f4c440f6c8efce
                  • Instruction ID: fe8cc2fb82679e991f534b156eae2986d4d121e4ef9dd90970e64e12ae756097
                  • Opcode Fuzzy Hash: 1448f429c83f76dd6e3ae1f03bb811ed84531116dbb6dae340f4c440f6c8efce
                  • Instruction Fuzzy Hash: 0B215C715093849FDB62CF25C854A52BFF8EF06310F0988DAE984CF163D275A949DB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FA4F8
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 632453e58fae9cda30e9387116f989607b8dac7875b58228708722a7f740cb2b
                  • Instruction ID: 0a15269d2cd7a1dafb7bd7a606ffdc9f676caee61303976263b41efc62e8720b
                  • Opcode Fuzzy Hash: 632453e58fae9cda30e9387116f989607b8dac7875b58228708722a7f740cb2b
                  • Instruction Fuzzy Hash: AA21B0B25043846FD7228F11CC44FA7BFBCEF06710F08849AE989CB652D264E909CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010510A6 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: FileView
                  • String ID:
                  • API String ID: 3314676101-0
                  • Opcode ID: 3bf2ce86bb9035e4ebb5cd077894eed2221007e0bac841c1116ea1177be8cec7
                  • Instruction ID: 5b45e5a2177bb31b2256c2d8c0453b6f3b7531a3b03ffe0b9f15ee63961c43af
                  • Opcode Fuzzy Hash: 3bf2ce86bb9035e4ebb5cd077894eed2221007e0bac841c1116ea1177be8cec7
                  • Instruction Fuzzy Hash: 12210271405380AFE722CF15CD44F96FFF8EF09224F0488AEE9848B692D375A909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050ACA Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 01050B56
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: Socket
                  • String ID:
                  • API String ID: 38366605-0
                  • Opcode ID: a232034cd64fff4955fe9e3c525671902d735dec4ad3280286e2bd01bcc60ce5
                  • Instruction ID: 46079100199ce680aa020d969831129e172cddf12f130c9389e583176e91954c
                  • Opcode Fuzzy Hash: a232034cd64fff4955fe9e3c525671902d735dec4ad3280286e2bd01bcc60ce5
                  • Instruction Fuzzy Hash: 4421CE71505380AFE722CF55DC45F96FFF8EF05220F0888AAE9858B652C275A408CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FAEEA Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 009FAF69
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: f8186e58c19aad8fd34782c58087273eefd2c13984a5dce46f3d1e7c77ff5c13
                  • Instruction ID: da76917fe5771f0976c95c928c4ca02fd6d8160873973d6aa443f6e563df2eef
                  • Opcode Fuzzy Hash: f8186e58c19aad8fd34782c58087273eefd2c13984a5dce46f3d1e7c77ff5c13
                  • Instruction Fuzzy Hash: E021B2B1600304AFE720CF65DD85B66FBE8EF08324F048869EA498B751D375E808CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050F16 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 01050F87
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: DescriptorSecurity$ConvertString
                  • String ID:
                  • API String ID: 3907675253-0
                  • Opcode ID: d3ed430221d1de980f95de337b370a81b8e3107cfeb0be7af1e97f532657c751
                  • Instruction ID: f3aac34b6241d74c03f7fcd5ff581996fde9ea524f401067441fdcdb3bf0a1a5
                  • Opcode Fuzzy Hash: d3ed430221d1de980f95de337b370a81b8e3107cfeb0be7af1e97f532657c751
                  • Instruction Fuzzy Hash: 1A21C272600204AFEB60DE69DD45BABBBECEF04714F04886AFD44DBA45D674E5088BB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050DFE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01050E9C
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 3a8d983bdd3adf6828e021557999dd8dc97fc5b3e00477206777e483de8ca19d
                  • Instruction ID: ab6418dd01499441c8361b5bc8d14f7a8138b3143f7a52281b4bdf74609b1d97
                  • Opcode Fuzzy Hash: 3a8d983bdd3adf6828e021557999dd8dc97fc5b3e00477206777e483de8ca19d
                  • Instruction Fuzzy Hash: AE21AE72505780AFE722CB15CC44F57BFF8EF45710F08889AE9859B692D365E908CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FAFC0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FB055
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 5dfebf91c1ed0025865f226b9d05f65060dd53c474b57ad48cbf5de92e586f1a
                  • Instruction ID: b98feedd01e5ddf70061c7e8dac49629a6bd84bc97ccf017aded70cab309b8c2
                  • Opcode Fuzzy Hash: 5dfebf91c1ed0025865f226b9d05f65060dd53c474b57ad48cbf5de92e586f1a
                  • Instruction Fuzzy Hash: 992149B54087806FE3228B25DC40BA3BFBCEF06724F0884DAE9918B653D374A909C771
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA8C6 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 009FA945
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: daea28d8a12b7aed13f0a6d8f84b61e60a6d55bc0628fbf26ef83624ada79e90
                  • Instruction ID: d85f3195edc1d0cc9788be18a9e97864f2ef2b1b0655b8d6a1f6d113b702557a
                  • Opcode Fuzzy Hash: daea28d8a12b7aed13f0a6d8f84b61e60a6d55bc0628fbf26ef83624ada79e90
                  • Instruction Fuzzy Hash: 5221C2B2500304AEE7309E55CD44FABFBECEF14714F04886AEA458AA51D778E9488B72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010531E7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01053263
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: 05fb9f1b102f234023ec2014b7c406dced25f59fe2198dbefaba7b393926c594
                  • Instruction ID: daa436e19cdc77c40417aad11cb5be298c15da9b21f4bb903e00ca48ffb64f36
                  • Opcode Fuzzy Hash: 05fb9f1b102f234023ec2014b7c406dced25f59fe2198dbefaba7b393926c594
                  • Instruction Fuzzy Hash: 7E21C5715053806FD722CB55CC44F97BFA8EF45210F08C8AAE944DB552D274A908CB75
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FB623 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 009FB6A2
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: LookupPrivilegeValue
                  • String ID:
                  • API String ID: 3899507212-0
                  • Opcode ID: f83eb7b17c5c0bcb5537623893583c36aeb5e8ce18c2572abac009cb898571f6
                  • Instruction ID: 78bbdb0cc5b6910e8e28bc8fefde3c7e52de9d772f0278c4519114e96265caa8
                  • Opcode Fuzzy Hash: f83eb7b17c5c0bcb5537623893583c36aeb5e8ce18c2572abac009cb898571f6
                  • Instruction Fuzzy Hash: 772160B25053845FD711CF25DC45B52BFE8EF16314F0984AAE985CB262E274D909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 009FA6B9
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: fbda56231af1ab379d6161b0939d54ac417139f8f1d9c05daae74764d23a2229
                  • Instruction ID: 306cc89b4cdacb75bdd1f64b3ff7c834c60b28dc5338fe65ec757b2b1daf06c8
                  • Opcode Fuzzy Hash: fbda56231af1ab379d6161b0939d54ac417139f8f1d9c05daae74764d23a2229
                  • Instruction Fuzzy Hash: 992180B56012049FE720DF25DD45BA6FBE8EF04324F08C86AEA49CB641D775E909CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105133D Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • shutdown.WS2_32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 010513C0
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: shutdown
                  • String ID:
                  • API String ID: 2510479042-0
                  • Opcode ID: a8efa6197da798da46f37f3cc0d81795796fffa666e77a0474e9c92ef40e8598
                  • Instruction ID: aeaa4d4224a6ac1e7de6f189be7828de934450c163a196d52c214835950a6cfd
                  • Opcode Fuzzy Hash: a8efa6197da798da46f37f3cc0d81795796fffa666e77a0474e9c92ef40e8598
                  • Instruction Fuzzy Hash: 5E21C5714093806FD7228B15CC44B56BFB8EF46210F0884DBE9849F653C378A909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050862 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                  Download Yara Rule
                  APIs
                  • ReadFile.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 010508E1
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: bcfdf354c5a21a763a6ea86006db38df021d8e5fb45f178b8af116f6bcae9dab
                  • Instruction ID: d991308ef549c8b771f5149ce180190cc37ae74a8e4e67578bcab23c27b4f882
                  • Opcode Fuzzy Hash: bcfdf354c5a21a763a6ea86006db38df021d8e5fb45f178b8af116f6bcae9dab
                  • Instruction Fuzzy Hash: 4B21D471405340AFE722CF55CC44F97BFF8EF45314F08889AE9848B552C234A908CB71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FA40C
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 5a8f578bac19e9b051fdc800ffeb942d23487e3224e4de1c10f783fb25b53225
                  • Instruction ID: 2c9638e2131f561313a460403843ab1b425ce506845e36ef3461c8b67547801f
                  • Opcode Fuzzy Hash: 5a8f578bac19e9b051fdc800ffeb942d23487e3224e4de1c10f783fb25b53225
                  • Instruction Fuzzy Hash: 92214DB56006089FE721CE15CD84FA6B7ECEF04714F14C86AEA498BA51D7B4E909CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01052F53 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • ioctlsocket.WS2_32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01052FCF
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ioctlsocket
                  • String ID:
                  • API String ID: 3577187118-0
                  • Opcode ID: e7fcd9d70fc73c811c56e12352a3cd61e9416c0e570051f40a2554f95d6f22a0
                  • Instruction ID: 20b3c9d73c9152f9b3cf30d1bc35930cca6593897cc973d696cb36582f2fec73
                  • Opcode Fuzzy Hash: e7fcd9d70fc73c811c56e12352a3cd61e9416c0e570051f40a2554f95d6f22a0
                  • Instruction Fuzzy Hash: B721A1714093846FD722CF55CD44F97BFB8EF45314F0888AAE9849B652D274A908CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FB90C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 009FB978
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: faa694baab7c8c8432968706ffe0dd40eb826012c41444ae310059f8ec27e187
                  • Instruction ID: b1ffed60091096b8bd5ed44bf9777315420b5b28c88595926166b1ead09f6aa8
                  • Opcode Fuzzy Hash: faa694baab7c8c8432968706ffe0dd40eb826012c41444ae310059f8ec27e187
                  • Instruction Fuzzy Hash: 5F21F0725093C05FDB028F25DC54792BFB4AF07324F0984DAE9858F663D274A908CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010516D7 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 01051756
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: Connect
                  • String ID:
                  • API String ID: 3144859779-0
                  • Opcode ID: 9c35c15b2bf5019d9b1b0706eceea0306d71e3ce5fab7cf13d9c2fef96234808
                  • Instruction ID: c34d87391b9a0bf37152be70ea7a8cc9dcb496c32b9da4311c685e7c174ded13
                  • Opcode Fuzzy Hash: 9c35c15b2bf5019d9b1b0706eceea0306d71e3ce5fab7cf13d9c2fef96234808
                  • Instruction Fuzzy Hash: 5B21AF75409384AFDB228F65CC44B92BFF4EF06310F0988DAE9858B563D375A819DB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010510C6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: FileView
                  • String ID:
                  • API String ID: 3314676101-0
                  • Opcode ID: 154c4a59557421160134e60e8a9f78dcab61b0ad11a549efa13de653536468d0
                  • Instruction ID: 86ba32c44a49fc573ff65128745c6720fe2748f14c62706d0e10ad7fca4ad053
                  • Opcode Fuzzy Hash: 154c4a59557421160134e60e8a9f78dcab61b0ad11a549efa13de653536468d0
                  • Instruction Fuzzy Hash: 8D21F371500204AFEB31CF19DD45F9AFBE8EF08324F0488A9E9858BB51D375E409CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050AEA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 01050B56
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: Socket
                  • String ID:
                  • API String ID: 38366605-0
                  • Opcode ID: 053cd3c933414abb3c704b6895f96ea6d548d6dcbb6ba7daca10a53c8b4ea0d8
                  • Instruction ID: 6d73c5574c603a510469f929873fe8bfc521641057c89a0c544e1e4ea503011d
                  • Opcode Fuzzy Hash: 053cd3c933414abb3c704b6895f96ea6d548d6dcbb6ba7daca10a53c8b4ea0d8
                  • Instruction Fuzzy Hash: D321A471500200AFEB31DF55DD85F5AFBE4EF08324F04886AED858BA52D375A509CB71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 009FA780
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 2cb8b658df26c6e9304e9d24c1afffe472a31aef4d367a44bf0da3551f279b8a
                  • Instruction ID: e1553265fac45e1b180e23f51baaaf7238adc286e5654e250f80b29a2feb9a0b
                  • Opcode Fuzzy Hash: 2cb8b658df26c6e9304e9d24c1afffe472a31aef4d367a44bf0da3551f279b8a
                  • Instruction Fuzzy Hash: 3521D2B59043809FD711CF15DD85B52BFB8EF02324F0984ABED458B653D335A905DB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA9CE Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 009FAA49
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: MessageSendTimeout
                  • String ID:
                  • API String ID: 1599653421-0
                  • Opcode ID: 4be6b093fcafd2ebcb96d3053d90a551c14d242f5fbc8061d02b3a489f3a5801
                  • Instruction ID: 64adaff78aa392bdcd6faed8dc66bee2689247551982ab4da6ebe5bd0d54da1b
                  • Opcode Fuzzy Hash: 4be6b093fcafd2ebcb96d3053d90a551c14d242f5fbc8061d02b3a489f3a5801
                  • Instruction Fuzzy Hash: BE21E471500304AFEB318F54CD41FB6FBA8EF04714F14886AEE458AA91D379E519CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FBD78 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FBDEE
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 804cf9b025e855c5afdcdab8d4d8d10597fdb9ab59c75ead420eb50500e45c5f
                  • Instruction ID: 00e5f539500616dbd41c534de504461b1637041287478b222c03109ba16cc67c
                  • Opcode Fuzzy Hash: 804cf9b025e855c5afdcdab8d4d8d10597fdb9ab59c75ead420eb50500e45c5f
                  • Instruction Fuzzy Hash: AA21A171409380AFDB228F51DC44A62FFF4EF4A310F0988DAEE858B563D275A919DB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01052022 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 010520AB
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 4cd64de13c1006f1258eabcb7d93c2ed25345768d7aa62438b3ec83b03081fdd
                  • Instruction ID: baed94a650d7fbffc2b73f443bcdf1ff6941b2ef6c5d9eb5affb886fa9fee0b1
                  • Opcode Fuzzy Hash: 4cd64de13c1006f1258eabcb7d93c2ed25345768d7aa62438b3ec83b03081fdd
                  • Instruction Fuzzy Hash: 8611E471405340AFE721CB15CC85FA6FBB8DF06720F04849AFD449B692D275A948CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FA4F8
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 13fd88db79d7122096bc6c30720ec8bf0c472df4ef2d9e2880787532e7567d12
                  • Instruction ID: 52af6f5915e855d5a0c9edea781c4e0244b7fd3308fdab0f0eab33f2155bea55
                  • Opcode Fuzzy Hash: 13fd88db79d7122096bc6c30720ec8bf0c472df4ef2d9e2880787532e7567d12
                  • Instruction Fuzzy Hash: 3411B1B6500304AFE7318E15CD45FABBBECEF04714F04886AEE498AA51D774E9088B72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050E2A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01050E9C
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 8b2abb3f4ee5f3383fd2d4b2a5548a5b6cb8e49598db294caa16aabbc9c55d78
                  • Instruction ID: c0b08c1ba647aa8be85264bda58127c378062473763b5c52eb51bc21d4d607e2
                  • Opcode Fuzzy Hash: 8b2abb3f4ee5f3383fd2d4b2a5548a5b6cb8e49598db294caa16aabbc9c55d78
                  • Instruction Fuzzy Hash: 7511A272500604AFE771CE19CD44FABB7E8EF04710F1488AAED458A652D774E509CA71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FAE00 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                  Download Yara Rule
                  APIs
                  • CopyFileW.KERNELBASE(?,?,?), ref: 009FAE6A
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CopyFile
                  • String ID:
                  • API String ID: 1304948518-0
                  • Opcode ID: 5c72cd1d8325b39556e75de665148cd2ff4c617fc0d70f50038cecd521c43c74
                  • Instruction ID: 5f3213e8f455f95a78943bc14fc4395e11afb69045549df4bcb6973a0cd548a1
                  • Opcode Fuzzy Hash: 5c72cd1d8325b39556e75de665148cd2ff4c617fc0d70f50038cecd521c43c74
                  • Instruction Fuzzy Hash: 201184B16053845FD721CF25DC85B63BFE8EF55220F0984AAED49CB652D274E804CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105153A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessTimes.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01051599
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ProcessTimes
                  • String ID:
                  • API String ID: 1995159646-0
                  • Opcode ID: f78a564fd7a33634db3cb87af29b322f1822b3a035a10b4b22dc7fd8db45cd33
                  • Instruction ID: 051be3213c3079011e95d4cc2173aa2e569d503df69668412dc1f24b42de88f9
                  • Opcode Fuzzy Hash: f78a564fd7a33634db3cb87af29b322f1822b3a035a10b4b22dc7fd8db45cd33
                  • Instruction Fuzzy Hash: EE11D372500200AFEB718F55DD44BABB7E8EF04614F08887AED468AA51D774A5098BB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105320A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01053263
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: ef6227be6dbd4c3f365dba506596fd5a6b284879c02daa0bbf5e1fa49ab6a71c
                  • Instruction ID: 5796c18853031c8906eb0cc513fe74a89a1f0a70dd64acb9166824efb7773602
                  • Opcode Fuzzy Hash: ef6227be6dbd4c3f365dba506596fd5a6b284879c02daa0bbf5e1fa49ab6a71c
                  • Instruction Fuzzy Hash: C011E271500200AFEB218F59CD44BABB7E8EF44364F04C86AED45CFA41D678A508CAB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01053126 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 0105317F
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: ef6227be6dbd4c3f365dba506596fd5a6b284879c02daa0bbf5e1fa49ab6a71c
                  • Instruction ID: bf63c84c352d092ace8c250c3ccad5eccd8e281dd584dd0bb7c6a7b7482c64b3
                  • Opcode Fuzzy Hash: ef6227be6dbd4c3f365dba506596fd5a6b284879c02daa0bbf5e1fa49ab6a71c
                  • Instruction Fuzzy Hash: 1F11E2715002049FEB21CF29CD44BABB7E8EF04324F08C87AED45CB641D774A9088AB5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105016B Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • MkParseDisplayName.OLE32(?,00000E24,?,?), ref: 010501EE
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: DisplayNameParse
                  • String ID:
                  • API String ID: 3580041360-0
                  • Opcode ID: ce52b0438405beb0a5facf16db875a57572ce435c7dfd2335ab19f7964d82703
                  • Instruction ID: d01fbb64f003fa4cb4fa374a861e7ae46b1032c3d7bd01e39c7bb9170f1cf849
                  • Opcode Fuzzy Hash: ce52b0438405beb0a5facf16db875a57572ce435c7dfd2335ab19f7964d82703
                  • Instruction Fuzzy Hash: 5A11E6715057806FD3118B16DC41F73BFB8EF86620F0985AAEC488BA42D225B919CBB2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FBAEA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • GetExitCodeProcess.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FBB40
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CodeExitProcess
                  • String ID:
                  • API String ID: 3861947596-0
                  • Opcode ID: c0e4c33d8707665ce7dc5931e7c5a84098502d76628fa88842f37b4d72f1056e
                  • Instruction ID: ad0416944c818ecb825d28498cc70e6769b3742936582f5669a0edcd26692765
                  • Opcode Fuzzy Hash: c0e4c33d8707665ce7dc5931e7c5a84098502d76628fa88842f37b4d72f1056e
                  • Instruction Fuzzy Hash: 7611E371500204AFEB208F15DD45BAAB7ACDF04724F18C87AED05CBA45D778E9098BB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01051A60 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • K32EnumProcesses.KERNEL32(?,?,?,60660510,00000000,?,?,?,?,?,?,?,?,6C883C58), ref: 01051AC2
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: EnumProcesses
                  • String ID:
                  • API String ID: 84517404-0
                  • Opcode ID: b44aee905472dde649c38a58fff9c548abe2504d5eafa97f01d288f64b623c62
                  • Instruction ID: b7e4530481dc0419d078129bb9dfc1450b3898ceac4c8498f0b12af6057d2e25
                  • Opcode Fuzzy Hash: b44aee905472dde649c38a58fff9c548abe2504d5eafa97f01d288f64b623c62
                  • Instruction Fuzzy Hash: B611A2715053809FD751CF65DC84B53BFE8EF05210F0884EAED85CB652D274A818CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050882 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                  Download Yara Rule
                  APIs
                  • ReadFile.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 010508E1
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: 16d9439779b3997d6f82efc19979b037393925e53687ef9f4a788dc4f14978eb
                  • Instruction ID: d450ab6dd7e1d7104cfb83e3923cf08b4b74b94d872ad56572f8967caab244bc
                  • Opcode Fuzzy Hash: 16d9439779b3997d6f82efc19979b037393925e53687ef9f4a788dc4f14978eb
                  • Instruction Fuzzy Hash: 1C11E272500300AFEB218F55CD44FABFBE8EF04714F04886AED859BA45C374A508CBB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01052F76 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • ioctlsocket.WS2_32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 01052FCF
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: ioctlsocket
                  • String ID:
                  • API String ID: 3577187118-0
                  • Opcode ID: 8fabba888e6d9d188346ec0c9c7bee7b4f9ee7ab27e02a8d4d2c786dc3c6a6ae
                  • Instruction ID: b2d91509b665168736bec6dc3dd6a5c8242319692c6c7483f72621247c1f9edf
                  • Opcode Fuzzy Hash: 8fabba888e6d9d188346ec0c9c7bee7b4f9ee7ab27e02a8d4d2c786dc3c6a6ae
                  • Instruction Fuzzy Hash: 9511C171500304AFE761CF55DD84BABBBE8EF04724F04C8AAED459B641D778A5098BB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FAC8D Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Initialize
                  • String ID:
                  • API String ID: 2538663250-0
                  • Opcode ID: 199c076c7ce23e4b3ae5887df12afb95136b033ff53802fa9c4b288c6956be28
                  • Instruction ID: 924ea80e7a8672bd165b43e335ac827c9d81f3941a1941cdc2b2b21643f0fab0
                  • Opcode Fuzzy Hash: 199c076c7ce23e4b3ae5887df12afb95136b033ff53802fa9c4b288c6956be28
                  • Instruction Fuzzy Hash: 8B1160715093C45FDB128B25DC44692BFB4EF46220F0984DBDD888F653D275A948CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105136A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • shutdown.WS2_32(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 010513C0
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: shutdown
                  • String ID:
                  • API String ID: 2510479042-0
                  • Opcode ID: b123a3d3bdc9887dff87542dafd546c75ff4582cb7adcb31bbcc870c8120aa96
                  • Instruction ID: 59ce8aa89f285626ce053d7f7a2f20094b16c0d4987374696ef27480665b6e0b
                  • Opcode Fuzzy Hash: b123a3d3bdc9887dff87542dafd546c75ff4582cb7adcb31bbcc870c8120aa96
                  • Instruction Fuzzy Hash: 15112971500200AFEB21CF19DD44BABF7E8DF04724F04C8A6ED448FA42D778A5098AB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 009FA330
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: e51480aa078d218a1da6250c7630ce0defc8d0093833abce61ed3fad83fc701d
                  • Instruction ID: 95d45469edb54b12db1d0d524e17fc1d6f126a6f28ed949c443d1508150730d3
                  • Opcode Fuzzy Hash: e51480aa078d218a1da6250c7630ce0defc8d0093833abce61ed3fad83fc701d
                  • Instruction Fuzzy Hash: 1711BFB14093C46FDB128B25DC44662BFB4DF07220F0980CBED848B263C2656808DB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01052042 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 010520AB
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 1da4c0ae9af2064a135d259f511e6960120eb82aee6121c879debc698d1c70a3
                  • Instruction ID: 9ee4dec653893cab917832faa5a52bf2301f437eadc34f41fc08b87b91f3a50d
                  • Opcode Fuzzy Hash: 1da4c0ae9af2064a135d259f511e6960120eb82aee6121c879debc698d1c70a3
                  • Instruction Fuzzy Hash: 35112571501300AEE7308B19CD41BAAFBA8DF04724F04C4AAFD444BB82D3B9A948CA62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01053052 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: select
                  • String ID:
                  • API String ID: 1274211008-0
                  • Opcode ID: 408f30abcef86edf440db298a88c454ed20a7f4407a96e5bdecba2ecc294b345
                  • Instruction ID: fdeeebe89aa34ab1b7214dde6f8553b715f224e503cc732b95edb31a26053620
                  • Opcode Fuzzy Hash: 408f30abcef86edf440db298a88c454ed20a7f4407a96e5bdecba2ecc294b345
                  • Instruction Fuzzy Hash: F6115E716003048FEBA0CF59D984B56FBE8EF04750F0884AAED89CF652D775E548CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: send
                  • String ID:
                  • API String ID: 2809346765-0
                  • Opcode ID: 3f0678b228abebc91c33b57429d466eb9933c9678a819ffbdc53caa5cc4b9ce7
                  • Instruction ID: 2d4a1f75c40bd85897a511742097e8e05d5da4a15e26838d8a11c40419a7e02d
                  • Opcode Fuzzy Hash: 3f0678b228abebc91c33b57429d466eb9933c9678a819ffbdc53caa5cc4b9ce7
                  • Instruction Fuzzy Hash: DE11C4715093809FDB22CF11DC44B52FFB4EF45314F09C8DAED848B552C275A918CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FAE22 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                  Download Yara Rule
                  APIs
                  • CopyFileW.KERNELBASE(?,?,?), ref: 009FAE6A
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CopyFile
                  • String ID:
                  • API String ID: 1304948518-0
                  • Opcode ID: fc55a7ffa1c892d3b4f181a02411bc37293b0c329abfff3bdc866af16c70819b
                  • Instruction ID: bd178409892be883101a72f22cf896f89e9116c62c2cbb3025f6b70af4f8c3e5
                  • Opcode Fuzzy Hash: fc55a7ffa1c892d3b4f181a02411bc37293b0c329abfff3bdc866af16c70819b
                  • Instruction Fuzzy Hash: BA1152B5A002048FEB20DF29DD45766FBE8EF54720F08C86ADD49CB751D679E814CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FB65A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 009FB6A2
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: LookupPrivilegeValue
                  • String ID:
                  • API String ID: 3899507212-0
                  • Opcode ID: fc55a7ffa1c892d3b4f181a02411bc37293b0c329abfff3bdc866af16c70819b
                  • Instruction ID: e9453316ad8a522b66868f288b5905fae6107210d366290f1a58d033f3e68f9a
                  • Opcode Fuzzy Hash: fc55a7ffa1c892d3b4f181a02411bc37293b0c329abfff3bdc866af16c70819b
                  • Instruction Fuzzy Hash: 6E1152716002449FDB20DF29D985766FBE8EF14724F08C86ADD49CB641D775E814CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FB002 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,60660510,00000000,00000000,00000000,00000000), ref: 009FB055
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 31919799857641fa58762fcc50c9a861c5bdd9c88048054016b2163c919b2b95
                  • Instruction ID: 26d2ef21ccf946273ca3f2e9b0f1c04b1619fa75df0e3718faffad2d835ca11a
                  • Opcode Fuzzy Hash: 31919799857641fa58762fcc50c9a861c5bdd9c88048054016b2163c919b2b95
                  • Instruction Fuzzy Hash: E101C471500304AEE7209F15DD45BB7B7A8DF04724F18C4A6EE158B645D778E9088AA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105170A Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 01051756
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: Connect
                  • String ID:
                  • API String ID: 3144859779-0
                  • Opcode ID: e592830b08162477121cc80da5dc90f12350a18b438f291be31d0a5e328d4c6c
                  • Instruction ID: 41d604f530bc56eb94b77ba3f058893bbe6084fab3c2d4c9e747a879443df919
                  • Opcode Fuzzy Hash: e592830b08162477121cc80da5dc90f12350a18b438f291be31d0a5e328d4c6c
                  • Instruction Fuzzy Hash: D7117C315002049FEB61CF59D944B66FBF4FF08210F0888AADD858BA62D375E418DF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01051A82 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • K32EnumProcesses.KERNEL32(?,?,?,60660510,00000000,?,?,?,?,?,?,?,?,6C883C58), ref: 01051AC2
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: EnumProcesses
                  • String ID:
                  • API String ID: 84517404-0
                  • Opcode ID: 3f8271492466bedc7759ca7ad6faebb410de1c0eaaabab257cbf88ed4d9b541a
                  • Instruction ID: a6e4648cfed8732bf67c6c1afc4ceeac7517a926d22bb1b5dc64b5a10c12cd1d
                  • Opcode Fuzzy Hash: 3f8271492466bedc7759ca7ad6faebb410de1c0eaaabab257cbf88ed4d9b541a
                  • Instruction Fuzzy Hash: B011A1756042408FEB61CF69D984B56FBE4EF04220F08C4AADD49CBA52D675E454CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA172 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • EnumWindows.USER32(?,00000E24,?,?), ref: 009FA1BD
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: EnumWindows
                  • String ID:
                  • API String ID: 1129996299-0
                  • Opcode ID: a8705d4be55acfe39cf282ab26fb5745dde5daa9fbc066328f603c979e84c40e
                  • Instruction ID: 7225b1b5d04a0de2ea4ac5419737f1475ab08ebcd4f3e4cc269bb05282dfdc05
                  • Opcode Fuzzy Hash: a8705d4be55acfe39cf282ab26fb5745dde5daa9fbc066328f603c979e84c40e
                  • Instruction Fuzzy Hash: 2C017171600200ABD310DF16DD46B66FBE8EB88A20F14856AED089BB41D775F915CBE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01051DB6 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 01051E06
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: InformationVolume
                  • String ID:
                  • API String ID: 2039140958-0
                  • Opcode ID: 3f2b91d9c851a8f80d8b38c848f79e4cc919e129953d6b9e397762b330e774df
                  • Instruction ID: 37d1fd507419e85b999ad4f0a80a4decbf5efb2acc5a593f8dae57e76a84c76a
                  • Opcode Fuzzy Hash: 3f2b91d9c851a8f80d8b38c848f79e4cc919e129953d6b9e397762b330e774df
                  • Instruction Fuzzy Hash: 8201B171600200ABD310DF16CD46B66FBE8EB88A20F14856AEC089BB41D731F915CBE1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FBDAA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FBDEE
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 35de0ef897a299262812b43f975ad5655d33479951f37891e15a368249bf24eb
                  • Instruction ID: 4cc737e129688b5bccfac9e4f15ca1d42041472b3e33ffb7e6ec88ae7006be22
                  • Opcode Fuzzy Hash: 35de0ef897a299262812b43f975ad5655d33479951f37891e15a368249bf24eb
                  • Instruction Fuzzy Hash: 330184329007049FDB218F55D944B66FBE4EF48710F08C8AADE454AA52D376E414DFA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 009FA780
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: c485e158c233c70ff6aa1d1b50a04422c6a6e7a46e2909d6ffa3a9274654b6ed
                  • Instruction ID: 3f888029233e184473bcc1cb78c650626e244bdc9971cd85571552b59f8738b0
                  • Opcode Fuzzy Hash: c485e158c233c70ff6aa1d1b50a04422c6a6e7a46e2909d6ffa3a9274654b6ed
                  • Instruction Fuzzy Hash: 100184B59002448FEB109F15D985B66FBE4DF04720F08C8BBDD498BB56D679E904CFA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FB946 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 009FB978
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 2dcf754a557f8eec7a6574b25659e76eb660d79b3be545ab7cc03aee26140b65
                  • Instruction ID: 1feb30cd27ae858a082cd857506ed2d02ac4e23255b5be53ef600fed04557442
                  • Opcode Fuzzy Hash: 2dcf754a557f8eec7a6574b25659e76eb660d79b3be545ab7cc03aee26140b65
                  • Instruction Fuzzy Hash: 9301B1715042048FDB20CF19D984766BBE4DF04324F08C4AADE498BB42D7B9E548CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01050A4E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 01050A9E
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 5b7bc31d4d73009439347995dab4ac348901bf9235b16ffb50619e70550643db
                  • Instruction ID: cda5d9d9846f7c037249efabf444c4178aaec698ff0fe969dae6506010702fac
                  • Opcode Fuzzy Hash: 5b7bc31d4d73009439347995dab4ac348901bf9235b16ffb50619e70550643db
                  • Instruction Fuzzy Hash: A401DB715002006BD310DF16CD46B66FBE8FB88B20F14815ADC0857741D771F515CBE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0105019E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • MkParseDisplayName.OLE32(?,00000E24,?,?), ref: 010501EE
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: DisplayNameParse
                  • String ID:
                  • API String ID: 3580041360-0
                  • Opcode ID: 02d96320034a41b363851ecc185e5b522c436e1e8c6fb720561f410ea0bcae98
                  • Instruction ID: 83569572782e13c219a42f4f1a8499be45eecd0804361f06aab7bfc3bade5fd3
                  • Opcode Fuzzy Hash: 02d96320034a41b363851ecc185e5b522c436e1e8c6fb720561f410ea0bcae98
                  • Instruction Fuzzy Hash: F001DB715002006BD310DF16CD46B66FBE8FB88B20F14815ADC0857741D771F515CBE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010533EE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumValueW.KERNELBASE(?,00000E24,?,?), ref: 0105343E
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155681187.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1050000_WindowsServices.jbxd
                  Similarity
                  • API ID: EnumValue
                  • String ID:
                  • API String ID: 2814608202-0
                  • Opcode ID: 9a8c8ffbaa4ed4e5afabc99569b2cb2db3d0689b003268367ea4ac828d68d2b7
                  • Instruction ID: 5019e1b7b768937bc28483d70ceb77c8e43a72494d6fdc9f97dc74936869fbc4
                  • Opcode Fuzzy Hash: 9a8c8ffbaa4ed4e5afabc99569b2cb2db3d0689b003268367ea4ac828d68d2b7
                  • Instruction Fuzzy Hash: E601DB715002006BD310DF16CD46B66FBE8FB88B20F14815ADC0857741D771F515CBE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: send
                  • String ID:
                  • API String ID: 2809346765-0
                  • Opcode ID: a78901ec1e06a109d1eca4541bfc7d61d6da72fa08fc3cf0a43fe6f4a67f30a0
                  • Instruction ID: ea47d55bd6d6ca27454c466e86e17cf1f86c3cc4761a6a1eb4f2cc7247f0d098
                  • Opcode Fuzzy Hash: a78901ec1e06a109d1eca4541bfc7d61d6da72fa08fc3cf0a43fe6f4a67f30a0
                  • Instruction Fuzzy Hash: 4F01D4715042449FDB20CF55D944B62FBE4EF04324F08C8AADE498BA52D779E418CF72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FACBA Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Initialize
                  • String ID:
                  • API String ID: 2538663250-0
                  • Opcode ID: c575fd9dc685b640e16352a8360d4b1984fcdc190a54ad32451f179b0de79b4e
                  • Instruction ID: 71d541fdada3c41d3ad9325c52ae4d5ad13bc5fc49664abd671d258f27890228
                  • Opcode Fuzzy Hash: c575fd9dc685b640e16352a8360d4b1984fcdc190a54ad32451f179b0de79b4e
                  • Instruction Fuzzy Hash: D801D6B19042448FEB20CF15D984766FBE4EF04321F18C8AADD498FB46D279A504CF62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009FA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 009FA330
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153788955.00000000009FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9fa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: 0eba1c1fda012c7551392e0dc2d8ec61915c4b7b608952f24ccac63480069987
                  • Instruction ID: f1b921de2cfce3cab7370bfeb80f7b72de1bd24dfc9fa8d5f47e6b98029fafb3
                  • Opcode Fuzzy Hash: 0eba1c1fda012c7551392e0dc2d8ec61915c4b7b608952f24ccac63480069987
                  • Instruction Fuzzy Hash: B6F0A475904244CFDB208F09D984761FBE4EF04724F08C4AADE494B752D2B9A408CFA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00E313E7 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 00E3141F
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155482918.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_e30000_WindowsServices.jbxd
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: 832e2b90ea030c24be8e237b9607650cfc395022194f0c6de6e534764f986a43
                  • Instruction ID: da336cbbe50d2bb218fa5bd3cfb57542b63a6f649da208e233e22fd2a8861ded
                  • Opcode Fuzzy Hash: 832e2b90ea030c24be8e237b9607650cfc395022194f0c6de6e534764f986a43
                  • Instruction Fuzzy Hash: 80F0AF30E042458ECF61EF79898949EBFF6AB89300B1486AAC405EB611EB348906CBD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00E313F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 00E3141F
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155482918.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_e30000_WindowsServices.jbxd
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: af36d55dc11870720f061e8ddc35eb1a05b448f41724cf1f269ba68dadafe77f
                  • Instruction ID: 41a68a375b34f73e6d2df41846bd5045d279f0ce6f4a947198716e04cbcfef1a
                  • Opcode Fuzzy Hash: af36d55dc11870720f061e8ddc35eb1a05b448f41724cf1f269ba68dadafe77f
                  • Instruction Fuzzy Hash: 98F01270E002099FCF54EF79C94959EFFF6AB88340B10853AD409E3714EB349A05CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010608CB Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155717453.0000000001060000.00000040.00000020.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1060000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 301299577e4a55f5a00d3a9c661dec28d283ab4b3bf537eab6512314fdab739d
                  • Instruction ID: e1cc4cdb704c3ed9069dcb5d2e1dd3781ea92ba3368ae44d68eb5bc809b7ddae
                  • Opcode Fuzzy Hash: 301299577e4a55f5a00d3a9c661dec28d283ab4b3bf537eab6512314fdab739d
                  • Instruction Fuzzy Hash: 3D21D3341493C0DFD713CB14C950B11BFF5AB46308F1985EEE8844BA63C77A9806CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 053327C8 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4158902676.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5330000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e6ed0cb4b4641fe5d91e454c240f6b239cc53c980664aac6379121e78e137ce7
                  • Instruction ID: 6673cef4e7e593b7406fdcff936105527c1f92adb3aa41472ed737d10c212409
                  • Opcode Fuzzy Hash: e6ed0cb4b4641fe5d91e454c240f6b239cc53c980664aac6379121e78e137ce7
                  • Instruction Fuzzy Hash: 9511EAB5908341AFD350CF19D840A5BFBE4FB88664F04896EF998D7311D231E9148FA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01060904 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155717453.0000000001060000.00000040.00000020.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1060000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 189898c8faae87859b195b1f66a9f5b803bf2f31cc94ceb7db5fbed20d08b831
                  • Instruction ID: 4b586cc5e7c2558da528e6807b477f551bb766d4c6007cdbb9560ea02453d911
                  • Opcode Fuzzy Hash: 189898c8faae87859b195b1f66a9f5b803bf2f31cc94ceb7db5fbed20d08b831
                  • Instruction Fuzzy Hash: F411E4302842849FE715CB14D540B26FBEAAB8970CF24C9ACF5891BB47C77BD803CA61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A0B940 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153940785.0000000000A0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_a0a000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0c26d3a39f79a8c342c501818c5b4fc3733dd67d10677f26d5cea0eb6cafc770
                  • Instruction ID: 9afe66ec74cccd5db2e7dc006262f11aca1e0c9b70c1b0f7d8dbc82aeb58770a
                  • Opcode Fuzzy Hash: 0c26d3a39f79a8c342c501818c5b4fc3733dd67d10677f26d5cea0eb6cafc770
                  • Instruction Fuzzy Hash: 9E11FAB5908301AFD350CF09DD40E57FBE8EB98660F048D2EF95997711D271E9188FA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010605E0 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155717453.0000000001060000.00000040.00000020.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1060000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a933ba6eb060931c736b640a548c2cc51072c051999f626fda474d749292e9c4
                  • Instruction ID: a2d36232d155c1aaa1d9533bd171b2ae1b1caec9cfcf32db8f779e72e7861861
                  • Opcode Fuzzy Hash: a933ba6eb060931c736b640a548c2cc51072c051999f626fda474d749292e9c4
                  • Instruction Fuzzy Hash: F501D6754097846FD7118B16AC40863FFF8DF86220709C4EFEC498BA12D225A809CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010609C0 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155717453.0000000001060000.00000040.00000020.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1060000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
                  • Instruction ID: e62317526a1f96e6bbae726bbf74047ec6ff05f41e3fb0bf7a35149d1531ee40
                  • Opcode Fuzzy Hash: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
                  • Instruction Fuzzy Hash: 58F0FB35144644DFC206CB04D540B15FBE6EB89718F24CAADE98907756C737D812DA91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01060606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4155717453.0000000001060000.00000040.00000020.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1060000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e87aaed5d8d179cb853c49ede2e00b07b0b3d8460d69e95f0b99455831b6662
                  • Instruction ID: c79238417057f4a9d783450363f806e10c10f2e8c723ff4926be1f1ef802b993
                  • Opcode Fuzzy Hash: 6e87aaed5d8d179cb853c49ede2e00b07b0b3d8460d69e95f0b99455831b6662
                  • Instruction Fuzzy Hash: CCE092B66006044B9650CF0BED41452F7D8EB88630B08C47FDC0D8B711E276B518CEA6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 05332833 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4158902676.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5330000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f6245ca5bb8220c5acf99aa9b34ca67b65266399713457795e0267375cba4a6c
                  • Instruction ID: 07a5aa6b68e3688fa686ea8f578337a8ba5d2076b0e8c7d5b505dbd42c984af7
                  • Opcode Fuzzy Hash: f6245ca5bb8220c5acf99aa9b34ca67b65266399713457795e0267375cba4a6c
                  • Instruction Fuzzy Hash: B9E0D8B254120467D2108E0A9C45F53FB9CDB54931F04C46BED081B742E172B51489E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 053320DF Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4158902676.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5330000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f6a876ebb59a32bd654e671f03eaa740c1c39d3afc5a9a2765bedb6a1ec4f6b9
                  • Instruction ID: 39c6a73bc3ad1f398df912a32dd09ce49e41978efe7ad9f1700dfdc504dc5e9c
                  • Opcode Fuzzy Hash: f6a876ebb59a32bd654e671f03eaa740c1c39d3afc5a9a2765bedb6a1ec4f6b9
                  • Instruction Fuzzy Hash: 05E0D8B250020467D2109E0AAC45F53FB98DB50930F08C467EE091B702E172B514CDE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A0B98F Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153940785.0000000000A0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_a0a000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b5c37b146dd0f8cf744a2c4411daa4b5c152ecff59c62c5846876a8fba627fe0
                  • Instruction ID: ff5420e88ea08d5bb2e8bd2a855dfef5cb023197a05ccbada66491bd11ded211
                  • Opcode Fuzzy Hash: b5c37b146dd0f8cf744a2c4411daa4b5c152ecff59c62c5846876a8fba627fe0
                  • Instruction Fuzzy Hash: 44E020B254020467D2108F079D45F53F79CDB50931F04C567EE091B702E172B514CDF6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009F23F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153770720.00000000009F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9f2000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 01d278d3428de0228fae0a8a7fb9d6d08d2d33197362cac0b5c9ab538aeb215e
                  • Instruction ID: 122989b8a4623e4b6a0e9cef47735067dc8c65bf82ed7b6cfa9387d8470ea47b
                  • Opcode Fuzzy Hash: 01d278d3428de0228fae0a8a7fb9d6d08d2d33197362cac0b5c9ab538aeb215e
                  • Instruction Fuzzy Hash: D4D05E79209AD54FD3279B1CC6A4BA537D8AB51714F4A44FAA800CB773C7A8D981D610
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 009F23BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.4153770720.00000000009F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_9f2000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72f9cbefc1087d96efd2e8b29d47b998b60d9f4b5a7a5486528bad1df5b69333
                  • Instruction ID: e62f96d106523c84b07ea66df26bf369f50ab22a2b95e1d79cbe8bc3dc676bb3
                  • Opcode Fuzzy Hash: 72f9cbefc1087d96efd2e8b29d47b998b60d9f4b5a7a5486528bad1df5b69333
                  • Instruction Fuzzy Hash: 77D05E742006854BC725DB0CC2D4F6977D8AB40B14F0644E8AC108B762C7B8D8C4DA00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:15.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:12
                  Total number of Limit Nodes:0
                  execution_graph 541 77a646 543 77a67e CreateMutexW 541->543 544 77a6c1 543->544 553 77a462 554 77a486 RegSetValueExW 553->554 556 77a507 554->556 561 77a612 563 77a646 CreateMutexW 561->563 564 77a6c1 563->564 557 77a361 558 77a392 RegQueryValueExW 557->558 560 77a41b 558->560

                  Callgraph

                  Executed Functions

                  Function 04A20278 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 4a20278-4a202a6 1 4a202a8 0->1 2 4a202ae-4a202bc 0->2 1->2 3 4a202c2-4a20305 2->3 4 4a203d8-4a203ec 2->4 22 4a203b9-4a203d2 3->22 7 4a203f2-4a2046b 4->7 8 4a20475-4a204c8 4->8 7->8 18 4a204ca 8->18 19 4a204cf-4a204e9 8->19 18->19 25 4a20520-4a20677 19->25 26 4a204eb-4a20515 19->26 22->4 23 4a2030a-4a20316 22->23 27 4a2031c-4a2034d 23->27 28 4a20bbd 23->28 57 4a206ff-4a20bb8 25->57 58 4a2067d-4a206bb 25->58 26->25 37 4a20390-4a203b3 27->37 38 4a2034f-4a20385 27->38 31 4a20bc2-4a20bcb 28->31 37->22 37->31 38->37 58->57
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985721211.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4a20000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID: ax
                  • API String ID: 0-3322492788
                  • Opcode ID: db87d8bb0e27d45868fe51296f391a9528bcf98fca051552d9c5c185d30cc007
                  • Instruction ID: f5ca233c1051808510d71ff88545514435031cba9fa6d22a81f5c0d2a9dded17
                  • Opcode Fuzzy Hash: db87d8bb0e27d45868fe51296f391a9528bcf98fca051552d9c5c185d30cc007
                  • Instruction Fuzzy Hash: 1EA16D70A01228CFDB24EF78D954BADB7B2AF44304F1084E9D509AB391DB39AE85CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0077A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 64 77a612-77a695 68 77a697 64->68 69 77a69a-77a6a3 64->69 68->69 70 77a6a5 69->70 71 77a6a8-77a6b1 69->71 70->71 72 77a6b3-77a6d7 CreateMutexW 71->72 73 77a702-77a707 71->73 76 77a709-77a70e 72->76 77 77a6d9-77a6ff 72->77 73->72 76->77
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0077A6B9
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985057732.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_77a000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 4bb004944014b44eb696cb9124e3bf01f760814242737eae16bbe90fe6e30ea4
                  • Instruction ID: 6dca62f3289f6f73e8b4b76ae319adab1f835e456de13f80eff405ed649f4b35
                  • Opcode Fuzzy Hash: 4bb004944014b44eb696cb9124e3bf01f760814242737eae16bbe90fe6e30ea4
                  • Instruction Fuzzy Hash: E03195755093806FE721CB25DC45B96BFF8EF06314F08849AE984CF692D375E909C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0077A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 80 77a361-77a3cf 83 77a3d4-77a3dd 80->83 84 77a3d1 80->84 85 77a3e2-77a3e8 83->85 86 77a3df 83->86 84->83 87 77a3ed-77a404 85->87 88 77a3ea 85->88 86->85 90 77a406-77a419 RegQueryValueExW 87->90 91 77a43b-77a440 87->91 88->87 92 77a442-77a447 90->92 93 77a41b-77a438 90->93 91->90 92->93
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,1E518A44,00000000,00000000,00000000,00000000), ref: 0077A40C
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985057732.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_77a000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: cbbe1b40550da19b979348b163eef2e2c784d95f8a1377fde166259e1443586a
                  • Instruction ID: 20cef001121963d139ba193b6e5f00ee4965b3b7005dfa5db130690e60113b36
                  • Opcode Fuzzy Hash: cbbe1b40550da19b979348b163eef2e2c784d95f8a1377fde166259e1443586a
                  • Instruction Fuzzy Hash: C331B4715053806FE721CF15CC84F96BBF8EF45750F08849AE945CB652D324ED09CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0077A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 97 77a462-77a4c3 100 77a4c5 97->100 101 77a4c8-77a4d4 97->101 100->101 102 77a4d6 101->102 103 77a4d9-77a4f0 101->103 102->103 105 77a527-77a52c 103->105 106 77a4f2-77a505 RegSetValueExW 103->106 105->106 107 77a507-77a524 106->107 108 77a52e-77a533 106->108 108->107
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,1E518A44,00000000,00000000,00000000,00000000), ref: 0077A4F8
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985057732.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_77a000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 36ef7a29fdba2140c2dd336b8ef22309133432fc66b59863070f57b937ea5dbc
                  • Instruction ID: d51373822363d9b83ef23a1f181b9475821de623d86e3720f2a3cb3cd9c5babd
                  • Opcode Fuzzy Hash: 36ef7a29fdba2140c2dd336b8ef22309133432fc66b59863070f57b937ea5dbc
                  • Instruction Fuzzy Hash: 772192B25053806FEB228F15DC44FA7BFB8DF46714F08849AE945CB692D264E909C771
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0077A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 112 77a646-77a695 115 77a697 112->115 116 77a69a-77a6a3 112->116 115->116 117 77a6a5 116->117 118 77a6a8-77a6b1 116->118 117->118 119 77a6b3-77a6bb CreateMutexW 118->119 120 77a702-77a707 118->120 122 77a6c1-77a6d7 119->122 120->119 123 77a709-77a70e 122->123 124 77a6d9-77a6ff 122->124 123->124
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0077A6B9
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985057732.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_77a000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 88ced599ed460e4cfa4ef893e5134e427aa86c6c1a5525538f69d26062017106
                  • Instruction ID: fd9e39bb975b35d6d416ba264292d55c3b5d8b2293119b6b448d3738a4a2ea35
                  • Opcode Fuzzy Hash: 88ced599ed460e4cfa4ef893e5134e427aa86c6c1a5525538f69d26062017106
                  • Instruction Fuzzy Hash: DC21B371601200AFFB20CB25DD45BA6F7E8EF44354F08C869E948CB741D779E905CA72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0077A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 127 77a392-77a3cf 129 77a3d4-77a3dd 127->129 130 77a3d1 127->130 131 77a3e2-77a3e8 129->131 132 77a3df 129->132 130->129 133 77a3ed-77a404 131->133 134 77a3ea 131->134 132->131 136 77a406-77a419 RegQueryValueExW 133->136 137 77a43b-77a440 133->137 134->133 138 77a442-77a447 136->138 139 77a41b-77a438 136->139 137->136 138->139
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,1E518A44,00000000,00000000,00000000,00000000), ref: 0077A40C
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985057732.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_77a000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 806f80e6432d3e1cc6b086902528a24124a3695f7c568ab282356f6bd3e61452
                  • Instruction ID: 152ea310b4cf3e5a304f4813479a433ab76b466125d16a379a7d33958db1197c
                  • Opcode Fuzzy Hash: 806f80e6432d3e1cc6b086902528a24124a3695f7c568ab282356f6bd3e61452
                  • Instruction Fuzzy Hash: 2A216D75600204AFEB30CF19CD84FAAB7E8EF44754F08C46AE9498B651D778E909CA72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0077A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 143 77a486-77a4c3 145 77a4c5 143->145 146 77a4c8-77a4d4 143->146 145->146 147 77a4d6 146->147 148 77a4d9-77a4f0 146->148 147->148 150 77a527-77a52c 148->150 151 77a4f2-77a505 RegSetValueExW 148->151 150->151 152 77a507-77a524 151->152 153 77a52e-77a533 151->153 153->152
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,1E518A44,00000000,00000000,00000000,00000000), ref: 0077A4F8
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985057732.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_77a000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 67d5326005ea370b5b7af08293c2a7c932169bb0eefc4f12a653b29f05bb54e1
                  • Instruction ID: 0f12866d55e4905c3afaa5c928a8e6a1f1b0343ca4204da4fa6cf0e085072a06
                  • Opcode Fuzzy Hash: 67d5326005ea370b5b7af08293c2a7c932169bb0eefc4f12a653b29f05bb54e1
                  • Instruction Fuzzy Hash: EB11A271500300AFEB318E15CD45BABBBE8EF44754F04C46AE9498AA41D778E8088A72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04A20268 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 157 4a20268-4a202a6 158 4a202a8 157->158 159 4a202ae-4a202bc 157->159 158->159 160 4a202c2-4a20305 159->160 161 4a203d8-4a203ec 159->161 179 4a203b9-4a203d2 160->179 164 4a203f2-4a2046b 161->164 165 4a20475-4a204c8 161->165 164->165 175 4a204ca 165->175 176 4a204cf-4a204e9 165->176 175->176 182 4a20520-4a20677 176->182 183 4a204eb-4a20515 176->183 179->161 180 4a2030a-4a20316 179->180 184 4a2031c-4a2034d 180->184 185 4a20bbd 180->185 214 4a206ff-4a20bb8 182->214 215 4a2067d-4a206bb 182->215 183->182 194 4a20390-4a203b3 184->194 195 4a2034f-4a20385 184->195 188 4a20bc2-4a20bcb 185->188 194->179 194->188 195->194 215->214
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985721211.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4a20000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID: ax
                  • API String ID: 0-3322492788
                  • Opcode ID: 68b049a06f6aa6ed0ea7112ff9b15ea36f9147330c6938c0bbf30730292b59e2
                  • Instruction ID: df43a6f5c254fbdac6987fcc06c977b5d01df83db05e57ca7b8f7d0d46944ef2
                  • Opcode Fuzzy Hash: 68b049a06f6aa6ed0ea7112ff9b15ea36f9147330c6938c0bbf30730292b59e2
                  • Instruction Fuzzy Hash: D3818D70A01228CFDB24EF79D944BADB7B2AF45304F1084E9D009AB395DB399E85CF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04A20080 Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 221 4a20080-4a200ad 224 4a200b8-4a20263 221->224
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985721211.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4a20000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5febe70eca6b7bf9ad53028233ef3efd2fe42ab708207221ca5d5b5967395c96
                  • Instruction ID: fff03d9a1be2fa4f3bbfcced838fccc54cc0a07de7da476372f2f79b1ac0f59b
                  • Opcode Fuzzy Hash: 5febe70eca6b7bf9ad53028233ef3efd2fe42ab708207221ca5d5b5967395c96
                  • Instruction Fuzzy Hash: 63412F30216A42CFC724FF3DE58598977B3AF9024870098FDD0448B66FEB385949CB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 04A20007 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 251 4a20007-4a20070 257 4a20070 call 7a05e0 251->257 258 4a20070 call 4a20268 251->258 259 4a20070 call 4a20278 251->259 260 4a20070 call 7723bc 251->260 261 4a20070 call 7a0606 251->261 256 4a20076 257->256 258->256 259->256 260->256 261->256
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985721211.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4a20000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16f7481bd0e66b65b87bd000af9edbcbe86f85f040b3af8e48004f4598862d31
                  • Instruction ID: fd2075aabf0639c1f2ce5624ce460b42712760d85315a36eee453682c93cab6e
                  • Opcode Fuzzy Hash: 16f7481bd0e66b65b87bd000af9edbcbe86f85f040b3af8e48004f4598862d31
                  • Instruction Fuzzy Hash: FE01459288E7D25FE71793786D68590BF305E6320471E41DBC1C1CF0E7E109194AE763
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 007A05E0 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 262 7a05e0-7a0620 264 7a0626-7a0643 262->264
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985132797.00000000007A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7a0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f0c832fe52f0daa90896a4cb0226522b324890c35341609fedc7a853c06ac185
                  • Instruction ID: 508ac0c7a2ad505b7246264859f85b3742ab43dba73a66fc167cdfd8a0fdc967
                  • Opcode Fuzzy Hash: f0c832fe52f0daa90896a4cb0226522b324890c35341609fedc7a853c06ac185
                  • Instruction Fuzzy Hash: 0CF0A9B65093805FD7118B069C40862FFE8EF86630709C4AFEC498B752D225AD08C7B1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 007A0606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 265 7a0606-7a0620 266 7a0626-7a0643 265->266
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985132797.00000000007A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7a0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8834157be76b63b3a59840924e28185c6c31f4099c60ad89d6968e49833b78f7
                  • Instruction ID: be2817081d3b338be6cc4992640b57931a329d22f7664675f4749357a5bb7e8e
                  • Opcode Fuzzy Hash: 8834157be76b63b3a59840924e28185c6c31f4099c60ad89d6968e49833b78f7
                  • Instruction Fuzzy Hash: 6EE092B66016004B9650CF0AEC81452F7D8EB88630B08C47FDC0D8B711D235B908CAA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 007723F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 267 7723f4-7723ff 268 772412-772417 267->268 269 772401-77240e 267->269 270 77241a 268->270 271 772419 268->271 269->268 272 772420-772421 270->272
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985042393.0000000000772000.00000040.00000800.00020000.00000000.sdmp, Offset: 00772000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_772000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b64c5752112e1acae121709183c4fd73bd5cb0735312c4f465484c83e2bf3b36
                  • Instruction ID: f72a670f6cb35aa2a40e4f84a0129b48695c664820f92450a85d13d34d6f8a05
                  • Opcode Fuzzy Hash: b64c5752112e1acae121709183c4fd73bd5cb0735312c4f465484c83e2bf3b36
                  • Instruction Fuzzy Hash: 2CD02E7A300AC08FD7228A0CC2A4B8537D4AB40704F0A88F9A800CB763C72CDD82C200
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 007723BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 273 7723bc-7723c3 274 7723d6-7723db 273->274 275 7723c5-7723d2 273->275 276 7723e1 274->276 277 7723dd-7723e0 274->277 275->274 278 7723e7-7723e8 276->278
                  Memory Dump Source
                  • Source File: 00000007.00000002.1985042393.0000000000772000.00000040.00000800.00020000.00000000.sdmp, Offset: 00772000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_772000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3407b877634b8f91746a4dfb54b895d5acddd0b11c0920fae7fee579a04b8478
                  • Instruction ID: dc93c4714e61aaa212765f0a085f794c8b6756012ae624c95b49399dc163ab66
                  • Opcode Fuzzy Hash: 3407b877634b8f91746a4dfb54b895d5acddd0b11c0920fae7fee579a04b8478
                  • Instruction Fuzzy Hash: 15D05E342006814BCB25DA0CC2D4F5977D4AB40714F0684ECAC208B763C7BCD8C1DA00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:11%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:19
                  Total number of Limit Nodes:1
                  execution_graph 572 162a462 574 162a486 RegSetValueExW 572->574 575 162a507 574->575 580 162a612 581 162a646 CreateMutexW 580->581 583 162a6c1 581->583 584 162a710 586 162a74e FindCloseChangeNotification 584->586 587 162a788 586->587 576 162a361 577 162a392 RegQueryValueExW 576->577 579 162a41b 577->579 560 162a646 562 162a67e CreateMutexW 560->562 563 162a6c1 562->563 568 162a74e 569 162a77a FindCloseChangeNotification 568->569 570 162a7b9 568->570 571 162a788 569->571 570->569

                  Callgraph

                  Executed Functions

                  Function 055F0278 Relevance: 4.5, Strings: 3, Instructions: 758COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 55f0278-55f02a6 1 55f02ae-55f02bc 0->1 2 55f02a8 0->2 3 55f03d8-55f03ec 1->3 4 55f02c2-55f0305 1->4 2->1 7 55f0475-55f04c8 3->7 8 55f03f2-55f046b 3->8 22 55f03b9-55f03d2 4->22 20 55f04cf-55f04e9 7->20 21 55f04ca 7->21 8->7 25 55f04eb-55f0515 20->25 26 55f0520-55f0677 20->26 21->20 22->3 23 55f030a-55f0316 22->23 27 55f0bbd 23->27 28 55f031c-55f034d 23->28 25->26 57 55f06ff-55f0bb8 26->57 58 55f067d-55f06bb 26->58 30 55f0bc2-55f0bcb 27->30 37 55f034f-55f0385 28->37 38 55f0390-55f03b3 28->38 37->38 38->22 38->30 58->57
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077895062.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_55f0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID: %\#k^$5\#k^$E\#k^
                  • API String ID: 0-2580760940
                  • Opcode ID: 5f4ef81fb7f075cd95333c36edba427839a395fb7258cfbb79c0e01d24597455
                  • Instruction ID: 06b1541aeb0d167daf8d821599b3cd4d8bdcd362a7d24a290d494f93323d18c3
                  • Opcode Fuzzy Hash: 5f4ef81fb7f075cd95333c36edba427839a395fb7258cfbb79c0e01d24597455
                  • Instruction Fuzzy Hash: 15A14A74A01228CFDB24DF75C854BADBBB2BF45304F1084A9E50AAB3A1DB399D85CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 055F0268 Relevance: 3.9, Strings: 3, Instructions: 192COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 64 55f0268-55f02a6 66 55f02ae-55f02bc 64->66 67 55f02a8 64->67 68 55f03d8-55f03ec 66->68 69 55f02c2-55f0305 66->69 67->66 72 55f0475-55f04aa 68->72 73 55f03f2-55f046b 68->73 87 55f03b9-55f03d2 69->87 82 55f04b5-55f04c8 72->82 73->72 85 55f04cf-55f04e9 82->85 86 55f04ca 82->86 90 55f04eb-55f0515 85->90 91 55f0520-55f0677 85->91 86->85 87->68 88 55f030a-55f0316 87->88 92 55f0bbd 88->92 93 55f031c-55f034d 88->93 90->91 122 55f06ff-55f0bb8 91->122 123 55f067d-55f06bb 91->123 95 55f0bc2-55f0bcb 92->95 102 55f034f-55f0385 93->102 103 55f0390-55f03b3 93->103 102->103 103->87 103->95 123->122
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077895062.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_55f0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID: %\#k^$5\#k^$E\#k^
                  • API String ID: 0-2580760940
                  • Opcode ID: fc314142d22144490550e33533b06524a3b3ce56b93bffa927cfad8e5e1ea22d
                  • Instruction ID: 40a9ea99c635d0f9d738a72361b16fd06d0c237531fd3be3eca1e9725f7eae5c
                  • Opcode Fuzzy Hash: fc314142d22144490550e33533b06524a3b3ce56b93bffa927cfad8e5e1ea22d
                  • Instruction Fuzzy Hash: 21815970A01228CFDB24DF75C844BADBBB2BF45304F1084A9E50AAB3A1DB399D95CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 129 162a612-162a695 133 162a697 129->133 134 162a69a-162a6a3 129->134 133->134 135 162a6a5 134->135 136 162a6a8-162a6b1 134->136 135->136 137 162a702-162a707 136->137 138 162a6b3-162a6d7 CreateMutexW 136->138 137->138 141 162a709-162a70e 138->141 142 162a6d9-162a6ff 138->142 141->142
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0162A6B9
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 688ffbac1eff694d5103cc1565bfa56090c1c1848a28e79f204996e045ecee52
                  • Instruction ID: 3399ce402678a4383c9dc6671ceb8dfec9fb4192f483d72cbb7138730841797c
                  • Opcode Fuzzy Hash: 688ffbac1eff694d5103cc1565bfa56090c1c1848a28e79f204996e045ecee52
                  • Instruction Fuzzy Hash: D931D3755097805FE722CB65CC85B96BFF8EF06210F08849AE984CF693D375E909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 145 162a361-162a3cf 148 162a3d1 145->148 149 162a3d4-162a3dd 145->149 148->149 150 162a3e2-162a3e8 149->150 151 162a3df 149->151 152 162a3ea 150->152 153 162a3ed-162a404 150->153 151->150 152->153 155 162a406-162a419 RegQueryValueExW 153->155 156 162a43b-162a440 153->156 157 162a442-162a447 155->157 158 162a41b-162a438 155->158 156->155 157->158
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,788B9063,00000000,00000000,00000000,00000000), ref: 0162A40C
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: b80f3694279f63247ae2abd248a64607b8d3845a5b6d4a66bddde37be8010753
                  • Instruction ID: 7ae0487c4031c71f3605914f95bc849e6930c4fde624bd947fd6495ab2e2c72e
                  • Opcode Fuzzy Hash: b80f3694279f63247ae2abd248a64607b8d3845a5b6d4a66bddde37be8010753
                  • Instruction Fuzzy Hash: AB317175505780AFE722CF55CC84F96BFF8EF06610F08849AE985CB692D364E909CB71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 162 162a462-162a4c3 165 162a4c5 162->165 166 162a4c8-162a4d4 162->166 165->166 167 162a4d6 166->167 168 162a4d9-162a4f0 166->168 167->168 170 162a4f2-162a505 RegSetValueExW 168->170 171 162a527-162a52c 168->171 172 162a507-162a524 170->172 173 162a52e-162a533 170->173 171->170 173->172
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,788B9063,00000000,00000000,00000000,00000000), ref: 0162A4F8
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 21113ed0ddbe139cd383339025ced310eeb050ad1f6deb887cd58f11de35898e
                  • Instruction ID: f102c3a8e22bd12394a38a8b8131b6524e4b792e0c708d535aa1386c746f5387
                  • Opcode Fuzzy Hash: 21113ed0ddbe139cd383339025ced310eeb050ad1f6deb887cd58f11de35898e
                  • Instruction Fuzzy Hash: B421E0721047806FE7228F54CC44FA7BFB8EF06210F08849AE985CBA92C364E809CB71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 177 162a646-162a695 180 162a697 177->180 181 162a69a-162a6a3 177->181 180->181 182 162a6a5 181->182 183 162a6a8-162a6b1 181->183 182->183 184 162a702-162a707 183->184 185 162a6b3-162a6bb CreateMutexW 183->185 184->185 187 162a6c1-162a6d7 185->187 188 162a709-162a70e 187->188 189 162a6d9-162a6ff 187->189 188->189
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0162A6B9
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 61b3232458ed0d5973f222869c59760349d7656688c12675ba668a4119317ead
                  • Instruction ID: e9c1e8eae84dd469aab0dbee61d0b1d5bc6ddcc326cd37bfb020cc37c3fb34d2
                  • Opcode Fuzzy Hash: 61b3232458ed0d5973f222869c59760349d7656688c12675ba668a4119317ead
                  • Instruction Fuzzy Hash: E621C2756006109FE720CF69DD85BA6FBE8EF04214F04C869E9458BB42D7B5E509CEB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 192 162a392-162a3cf 194 162a3d1 192->194 195 162a3d4-162a3dd 192->195 194->195 196 162a3e2-162a3e8 195->196 197 162a3df 195->197 198 162a3ea 196->198 199 162a3ed-162a404 196->199 197->196 198->199 201 162a406-162a419 RegQueryValueExW 199->201 202 162a43b-162a440 199->202 203 162a442-162a447 201->203 204 162a41b-162a438 201->204 202->201 203->204
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,788B9063,00000000,00000000,00000000,00000000), ref: 0162A40C
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 4b7b435fe76d1675ce98024ca7a062f7e53e1dd016e30792bb8ff5ac7f6375e7
                  • Instruction ID: 937cfd2675f9759f364ec346811eac2b5f700389fe0a60ed13323afd80269d1e
                  • Opcode Fuzzy Hash: 4b7b435fe76d1675ce98024ca7a062f7e53e1dd016e30792bb8ff5ac7f6375e7
                  • Instruction Fuzzy Hash: 64216D756006049FE731CE59CD84FA6FBECEF04610F04846AE945CBB51D7A4E909CA71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 208 162a710-162a778 210 162a77a-162a782 FindCloseChangeNotification 208->210 211 162a7b9-162a7be 208->211 213 162a788-162a79a 210->213 211->210 214 162a7c0-162a7c5 213->214 215 162a79c-162a7b8 213->215 214->215
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0162A780
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: add871f3e4a2634f30ec1d8506fc219af1b6a3fee4beefdb476ad12c93339034
                  • Instruction ID: 538938b5945dbaefaf6422473b5b1503b2d279794d3fa82e23016f4a6076fc16
                  • Opcode Fuzzy Hash: add871f3e4a2634f30ec1d8506fc219af1b6a3fee4beefdb476ad12c93339034
                  • Instruction Fuzzy Hash: 3A21D1B55083809FD7128F15DC85752BFB8EF02324F0984DBDC858F693D2759905CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 217 162a486-162a4c3 219 162a4c5 217->219 220 162a4c8-162a4d4 217->220 219->220 221 162a4d6 220->221 222 162a4d9-162a4f0 220->222 221->222 224 162a4f2-162a505 RegSetValueExW 222->224 225 162a527-162a52c 222->225 226 162a507-162a524 224->226 227 162a52e-162a533 224->227 225->224 227->226
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,788B9063,00000000,00000000,00000000,00000000), ref: 0162A4F8
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: ecf1046ea612a8f5a3e3e959573b490b949497b9a4ceb9c476bf4387dff2094e
                  • Instruction ID: 836e709e17d5aad3f4b3638fb9b62aeb448af429edb862f8dfe05caa0614f611
                  • Opcode Fuzzy Hash: ecf1046ea612a8f5a3e3e959573b490b949497b9a4ceb9c476bf4387dff2094e
                  • Instruction Fuzzy Hash: 8711AF72500600AFE7318E59DD45BA7BBECEF04614F04846AED459BB41D7B4E509CAB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0162A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 231 162a74e-162a778 232 162a77a-162a782 FindCloseChangeNotification 231->232 233 162a7b9-162a7be 231->233 235 162a788-162a79a 232->235 233->232 236 162a7c0-162a7c5 235->236 237 162a79c-162a7b8 235->237 236->237
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0162A780
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077374156.000000000162A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_162a000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 4e4f2e0e1db73bde378ba9f43a94d879516455bf328d6bcb71a22c9aa14930fa
                  • Instruction ID: 3d2756b3805e9aadd0d03e78cc47be0d6c49f0918d7e6966050d700ba55554b8
                  • Opcode Fuzzy Hash: 4e4f2e0e1db73bde378ba9f43a94d879516455bf328d6bcb71a22c9aa14930fa
                  • Instruction Fuzzy Hash: F901BC75A006008FEB208F59DD84766FBA4DF04220F08C4AADC4A8FB42D7B8A408CEA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 055F0080 Relevance: .1, Instructions: 99COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 239 55f0080-55f00ad 242 55f00b8-55f0263 239->242
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077895062.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_55f0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a3fdd0653dbbb45da61484ee7078daed5dd1b27412df3cceffb31b57cd83733
                  • Instruction ID: 66ddcbfc9f6e827139ca8759bcda2eb2b9d794ff921f4d4005d3529ee5ab02a2
                  • Opcode Fuzzy Hash: 5a3fdd0653dbbb45da61484ee7078daed5dd1b27412df3cceffb31b57cd83733
                  • Instruction Fuzzy Hash: 74414534A062828FD724DF38E55498A7FF2FF95248740887DE1044B76AEB7C5C69DB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016305E0 Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 269 16305e0-16305e1 270 16305e3-1630603 269->270 271 1630579-16305be 269->271 272 1630606-1630620 270->272 273 1630626-1630643 272->273
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077393574.0000000001630000.00000040.00000020.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_1630000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 76a2836eb1468a556deebec5cac633c29558d1d2bf19398b296c8314aaf2a042
                  • Instruction ID: 49cf45260b6d9b1ecb11fa70f62a268b9f0281d1de53ddd46ec37a37695a81d1
                  • Opcode Fuzzy Hash: 76a2836eb1468a556deebec5cac633c29558d1d2bf19398b296c8314aaf2a042
                  • Instruction Fuzzy Hash: 8F0196B150D3806FC7138B25DD51862BFB8DE8726070984EBE849CF663E225A909C7B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 055F0006 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 274 55f0006-55f0076
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077895062.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_55f0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bcb3a799e4a3ecf9a152d6609ee9bd76af2ead41cb623ed9612a424e227a7ef4
                  • Instruction ID: 724b60a0e16ef250771d1ba7f3cf07ec3aa719e141a004c4b680709f6854e8e1
                  • Opcode Fuzzy Hash: bcb3a799e4a3ecf9a152d6609ee9bd76af2ead41cb623ed9612a424e227a7ef4
                  • Instruction Fuzzy Hash: D3015F6654E3D08FD3034B68DCA16883FB0AF57224B4E05E7C0C0CB6A3D25C595AD722
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01630606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 275 1630606-1630620 276 1630626-1630643 275->276
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077393574.0000000001630000.00000040.00000020.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_1630000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d079cdfc57294d9d7a588b497b4ab308ce1e43fe029b30a4455a63ee35a92ad1
                  • Instruction ID: 4ff23f724e6b72151e998833ee51dc2e93323a139077933cbf1ec6e8576d0ea0
                  • Opcode Fuzzy Hash: d079cdfc57294d9d7a588b497b4ab308ce1e43fe029b30a4455a63ee35a92ad1
                  • Instruction Fuzzy Hash: 91E092B66006004B9660CF0AFC81452F7D8EB88630708C47FDC0D8B711E239B509CAE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016223F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 277 16223f4-16223ff 278 1622412-1622417 277->278 279 1622401-162240e 277->279 280 162241a 278->280 281 1622419 278->281 279->278 282 1622420-1622421 280->282
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077356344.0000000001622000.00000040.00000800.00020000.00000000.sdmp, Offset: 01622000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_1622000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d0fc5db715550f352a6b4ce5a8ac7abba2da755b2f693d75144275363fe829e8
                  • Instruction ID: 410bca324fc19905c29cf192807dc71d6d50f705a02b1b24a91937a3a5bf2dd6
                  • Opcode Fuzzy Hash: d0fc5db715550f352a6b4ce5a8ac7abba2da755b2f693d75144275363fe829e8
                  • Instruction Fuzzy Hash: 67D05E79206AE14FE3269A1CCAA4B953BE4AB51714F4A44FEEC00CB763C768D5D1DA10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016223BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000008.00000002.2077356344.0000000001622000.00000040.00000800.00020000.00000000.sdmp, Offset: 01622000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_1622000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ceb5305a9e34f6d34f54a1a1153aca3e4baf286757cd9e335dee6b30b54140b
                  • Instruction ID: 910ebf214cbd2111439c494d744b76213b946ce6e86a6144372e83e8fe24195a
                  • Opcode Fuzzy Hash: 5ceb5305a9e34f6d34f54a1a1153aca3e4baf286757cd9e335dee6b30b54140b
                  • Instruction Fuzzy Hash: 43D05E342006814BD729DA0CC6E4F597BD4AF40714F0644ECAC108B762C7B4D8C0DE00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:14%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:19
                  Total number of Limit Nodes:1
                  execution_graph 584 10aa74e 585 10aa77a FindCloseChangeNotification 584->585 586 10aa7b9 584->586 587 10aa788 585->587 586->585 600 10aa612 602 10aa646 CreateMutexW 600->602 603 10aa6c1 602->603 608 10aa462 610 10aa486 RegSetValueExW 608->610 611 10aa507 610->611 604 10aa710 605 10aa74e FindCloseChangeNotification 604->605 607 10aa788 605->607 612 10aa361 613 10aa392 RegQueryValueExW 612->613 615 10aa41b 613->615 596 10aa646 597 10aa67e CreateMutexW 596->597 599 10aa6c1 597->599

                  Callgraph

                  • Executed
                  • Not Executed
                  • Opacity -> Relevance
                  • Disassembly available
                  callgraph 0 Function_010A268E 1 Function_0179067F 2 Function_010AA486 3 Function_010A2006 4 Function_01790074 5 Function_014B0645 6 Function_014B0B45 7 Function_010AA005 8 Function_010AA09A 9 Function_014B06DB 10 Function_014B0A5B 11 Function_010A2098 12 Function_0179066A 13 Function_0179026D 14 Function_010AA392 15 Function_010AA612 16 Function_017905E0 17 Function_014B07D2 18 Function_010AA710 19 Function_010A2310 20 Function_010A2194 21 Function_014B0268 22 Function_010AA02E 23 Function_010A262D 24 Function_017905D0 25 Function_010AA120 26 Function_01790649 26->12 27 Function_014B0278 28 Function_010AA23C 29 Function_010A23BC 30 Function_010A213C 31 Function_017905C0 32 Function_01790740 33 Function_010A2430 34 Function_014B0B76 35 Function_010A22B4 36 Function_010AA74E 37 Function_014B0B8D 38 Function_010A26C3 39 Function_010AA540 40 Function_014B0080 41 Function_010AA646 42 Function_014B0006 42->16 42->21 42->27 42->29 66 Function_01790606 42->66 43 Function_010A2458 44 Function_014B0798 45 Function_010AA25E 46 Function_010AA45C 47 Function_010AA2D2 48 Function_010A20D0 49 Function_010AA56E 50 Function_014B0B2E 51 Function_010AA462 52 Function_01790710 53 Function_010AA361 54 Function_010A2264 55 Function_010A2364 56 Function_010AA078 57 Function_010AA2FE 58 Function_0179000C 59 Function_014B0B3E 60 Function_010A247C 61 Function_010AA172 62 Function_01790001 63 Function_010A21F0 64 Function_010AA1F4 65 Function_010A23F4

                  Executed Functions

                  Function 014B0278 Relevance: 4.5, Strings: 3, Instructions: 758COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 14b0278-14b02a6 1 14b02a8 0->1 2 14b02ae-14b02bc 0->2 1->2 3 14b03d8-14b03ec 2->3 4 14b02c2-14b0305 2->4 7 14b03f2-14b046b 3->7 8 14b0475-14b04c8 3->8 22 14b03b9-14b03d2 4->22 7->8 18 14b04ca 8->18 19 14b04cf-14b04e9 8->19 18->19 25 14b04eb-14b0515 19->25 26 14b0520-14b0677 19->26 22->3 24 14b030a-14b0316 22->24 27 14b0bbd 24->27 28 14b031c-14b034d 24->28 25->26 57 14b06ff-14b0bb8 26->57 58 14b067d-14b06bb 26->58 31 14b0bc2-14b0bcb 27->31 37 14b034f-14b0385 28->37 38 14b0390-14b03b3 28->38 37->38 38->22 38->31 58->57
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159544847.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14b0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID: %\|k^$5\|k^$E\|k^
                  • API String ID: 0-1137456559
                  • Opcode ID: c43443446de1ae85e65b015aa2814522eff527c2658f2e6162eb81a6d3884a2e
                  • Instruction ID: a6769d22cf4588ade34e2db1eebb95b3468a186f1397f43fc0f3b5e352a7da4d
                  • Opcode Fuzzy Hash: c43443446de1ae85e65b015aa2814522eff527c2658f2e6162eb81a6d3884a2e
                  • Instruction Fuzzy Hash: D5A14B70A01218CFDB24DF79C894BEEB7B2AF45305F1084A9E449AB361DB399D85CF60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014B0268 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 64 14b0268-14b02a6 65 14b02a8 64->65 66 14b02ae-14b02bc 64->66 65->66 67 14b03d8-14b03ec 66->67 68 14b02c2-14b0305 66->68 71 14b03f2-14b046b 67->71 72 14b0475-14b04c8 67->72 86 14b03b9-14b03d2 68->86 71->72 82 14b04ca 72->82 83 14b04cf-14b04e9 72->83 82->83 89 14b04eb-14b0515 83->89 90 14b0520-14b0677 83->90 86->67 88 14b030a-14b0316 86->88 91 14b0bbd 88->91 92 14b031c-14b034d 88->92 89->90 121 14b06ff-14b0bb8 90->121 122 14b067d-14b06bb 90->122 95 14b0bc2-14b0bcb 91->95 101 14b034f-14b0385 92->101 102 14b0390-14b03b3 92->102 101->102 102->86 102->95 122->121
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159544847.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14b0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID: %\|k^$5\|k^$E\|k^
                  • API String ID: 0-1137456559
                  • Opcode ID: df37a068edd6668ae9b5e360c1e1fa5642530052fa4921a9b8ba2abf73a92221
                  • Instruction ID: 9108f7cdb638eb36e48a556417ae7b15a762d2395ecd532b475598bb2e4573e9
                  • Opcode Fuzzy Hash: df37a068edd6668ae9b5e360c1e1fa5642530052fa4921a9b8ba2abf73a92221
                  • Instruction Fuzzy Hash: FE814B70A01218CFDB24DF75C994BEDB7B2AF45305F1084A9E449AB3A0DB399D89CF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 128 10aa612-10aa695 132 10aa69a-10aa6a3 128->132 133 10aa697 128->133 134 10aa6a8-10aa6b1 132->134 135 10aa6a5 132->135 133->132 136 10aa702-10aa707 134->136 137 10aa6b3-10aa6d7 CreateMutexW 134->137 135->134 136->137 140 10aa709-10aa70e 137->140 141 10aa6d9-10aa6ff 137->141 140->141
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 010AA6B9
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: ecc590a40d5add680ae338028ffe0dbcfe7683fb5ffb773b0c421ebf4c78d6e2
                  • Instruction ID: ad939d1a9a0d9e099a7613c9fa83ea29ee98c2a4fe07069bd01d99648db43403
                  • Opcode Fuzzy Hash: ecc590a40d5add680ae338028ffe0dbcfe7683fb5ffb773b0c421ebf4c78d6e2
                  • Instruction Fuzzy Hash: 623195715093805FE712CB65DC45B56BFF8EF06214F08849AE984CB693D375A909C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 144 10aa361-10aa3cf 147 10aa3d1 144->147 148 10aa3d4-10aa3dd 144->148 147->148 149 10aa3df 148->149 150 10aa3e2-10aa3e8 148->150 149->150 151 10aa3ea 150->151 152 10aa3ed-10aa404 150->152 151->152 154 10aa43b-10aa440 152->154 155 10aa406-10aa419 RegQueryValueExW 152->155 154->155 156 10aa41b-10aa438 155->156 157 10aa442-10aa447 155->157 157->156
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,98A9372A,00000000,00000000,00000000,00000000), ref: 010AA40C
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: f9bb0c18178c7763a18e91096aa994ea1649b54a1f3fd466ca24196182e9d095
                  • Instruction ID: 23007792572c68442009fbfa890043484226e4b351f00be67b17a1cec0f84818
                  • Opcode Fuzzy Hash: f9bb0c18178c7763a18e91096aa994ea1649b54a1f3fd466ca24196182e9d095
                  • Instruction Fuzzy Hash: 16318075505740AFE722CF55CC84F96BBF8EF06610F08849AE9858B692D364E909CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 161 10aa462-10aa4c3 164 10aa4c8-10aa4d4 161->164 165 10aa4c5 161->165 166 10aa4d9-10aa4f0 164->166 167 10aa4d6 164->167 165->164 169 10aa4f2-10aa505 RegSetValueExW 166->169 170 10aa527-10aa52c 166->170 167->166 171 10aa52e-10aa533 169->171 172 10aa507-10aa524 169->172 170->169 171->172
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,98A9372A,00000000,00000000,00000000,00000000), ref: 010AA4F8
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 8e7d3ea789f06cfe738c832115d3eaec4d51bb1ab4e028c290e90016bf10ecbf
                  • Instruction ID: 220d30d236c44751af05cea9f27b1468e1c354761b9d3674a9e502a26620abcb
                  • Opcode Fuzzy Hash: 8e7d3ea789f06cfe738c832115d3eaec4d51bb1ab4e028c290e90016bf10ecbf
                  • Instruction Fuzzy Hash: 8D21B2B2504380AFD7228F55CC44FA7BFF8EF46610F08849AE985CB692D364E909C771
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 176 10aa646-10aa695 179 10aa69a-10aa6a3 176->179 180 10aa697 176->180 181 10aa6a8-10aa6b1 179->181 182 10aa6a5 179->182 180->179 183 10aa702-10aa707 181->183 184 10aa6b3-10aa6bb CreateMutexW 181->184 182->181 183->184 186 10aa6c1-10aa6d7 184->186 187 10aa709-10aa70e 186->187 188 10aa6d9-10aa6ff 186->188 187->188
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 010AA6B9
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: a4db2de55269504ed4e5700f11678ded23e39b77070bc046ee3be8583aa39a1b
                  • Instruction ID: af2eb4f5b5495c95f991e60a173273777017e1a1420f6a3da3ce142a9609c389
                  • Opcode Fuzzy Hash: a4db2de55269504ed4e5700f11678ded23e39b77070bc046ee3be8583aa39a1b
                  • Instruction Fuzzy Hash: EE21A4716042009FE721DF69DD45BA6FBE8EF08214F04C8A9E985CBB81D775E909CA71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 191 10aa392-10aa3cf 193 10aa3d1 191->193 194 10aa3d4-10aa3dd 191->194 193->194 195 10aa3df 194->195 196 10aa3e2-10aa3e8 194->196 195->196 197 10aa3ea 196->197 198 10aa3ed-10aa404 196->198 197->198 200 10aa43b-10aa440 198->200 201 10aa406-10aa419 RegQueryValueExW 198->201 200->201 202 10aa41b-10aa438 201->202 203 10aa442-10aa447 201->203 203->202
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,98A9372A,00000000,00000000,00000000,00000000), ref: 010AA40C
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 69bc908d529a291025577c2699a8b36ae1bddc07060068d3ff69ef064986c17f
                  • Instruction ID: c97b534d31e06586d16dc91b57cb3cdab9b0d993e9dcee3bea895405c71ee11b
                  • Opcode Fuzzy Hash: 69bc908d529a291025577c2699a8b36ae1bddc07060068d3ff69ef064986c17f
                  • Instruction Fuzzy Hash: 95218E76600204AFE731CE59CD84FA6F7ECEF44614F04C4AAE9858B691D774E909CA71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 207 10aa710-10aa778 209 10aa77a-10aa782 FindCloseChangeNotification 207->209 210 10aa7b9-10aa7be 207->210 211 10aa788-10aa79a 209->211 210->209 213 10aa79c-10aa7b8 211->213 214 10aa7c0-10aa7c5 211->214 214->213
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 010AA780
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 34efe1a02ae28b56a0d9a684403490d42dc4543710b061b904e3b9857c1904a4
                  • Instruction ID: bcc0e6b264895eaa379ce6f7063b6f1f04994a2792b10e773d7c8d44b02053e0
                  • Opcode Fuzzy Hash: 34efe1a02ae28b56a0d9a684403490d42dc4543710b061b904e3b9857c1904a4
                  • Instruction Fuzzy Hash: BB21F0B55083809FD7028F25DC85752BFB8EF02224F0984EBDC858F6A3D235A909CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 216 10aa486-10aa4c3 218 10aa4c8-10aa4d4 216->218 219 10aa4c5 216->219 220 10aa4d9-10aa4f0 218->220 221 10aa4d6 218->221 219->218 223 10aa4f2-10aa505 RegSetValueExW 220->223 224 10aa527-10aa52c 220->224 221->220 225 10aa52e-10aa533 223->225 226 10aa507-10aa524 223->226 224->223 225->226
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,98A9372A,00000000,00000000,00000000,00000000), ref: 010AA4F8
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 0ef8f614e6b0bf2a67ecd440c8f585b0236fa71f73fa4e4a102d197676d45322
                  • Instruction ID: f474b7de40651992f0ab77a4a3a910e7b45ae0ac7971722cf3a920115dfc09c4
                  • Opcode Fuzzy Hash: 0ef8f614e6b0bf2a67ecd440c8f585b0236fa71f73fa4e4a102d197676d45322
                  • Instruction Fuzzy Hash: 5111B1B2600300AFE7318E59CD45FABBBECEF04614F04846AED858BA81D774E508CA71
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010AA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 230 10aa74e-10aa778 231 10aa77a-10aa782 FindCloseChangeNotification 230->231 232 10aa7b9-10aa7be 230->232 233 10aa788-10aa79a 231->233 232->231 235 10aa79c-10aa7b8 233->235 236 10aa7c0-10aa7c5 233->236 236->235
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 010AA780
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159058495.00000000010AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10aa000_WindowsServices.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: efd42c1958abebab00f939ecca999130a74b0e8861509c8b49e0cd3a85d615c0
                  • Instruction ID: 96ecdc82b134e07a1b120807ce567789d710f596bfb6aef57c1137a6d1a0cfb2
                  • Opcode Fuzzy Hash: efd42c1958abebab00f939ecca999130a74b0e8861509c8b49e0cd3a85d615c0
                  • Instruction Fuzzy Hash: 3901D471600200CFDB50CF59DD8476AFBE4EF04220F08C4BBDC468BB82D679E504CAA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014B0080 Relevance: .1, Instructions: 99COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 238 14b0080-14b00ad 241 14b00b8-14b0263 238->241
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159544847.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14b0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 247030f0fd216f0ef12b8589e5b7936d5d03d9041c3e6ae8b6d0a2702a14e57b
                  • Instruction ID: dfbe0f656b4dd2760be513611fd90a9a378cd1c7fd5bf061c871211917b680ee
                  • Opcode Fuzzy Hash: 247030f0fd216f0ef12b8589e5b7936d5d03d9041c3e6ae8b6d0a2702a14e57b
                  • Instruction Fuzzy Hash: 4A412031216242DFC724DF3AE591D8A77E2FF952087408879E4448B66AEB3D5C8FCB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014B0006 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 268 14b0006-14b006e 270 14b0070 call 14b0268 268->270 271 14b0070 call 14b0278 268->271 272 14b0070 call 10a23bc 268->272 273 14b0070 call 17905e0 268->273 274 14b0070 call 1790606 268->274 269 14b0076 270->269 271->269 272->269 273->269 274->269
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159544847.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14b0000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35a8fbfdc8ec2a8b90e24c650f4d825c0e6e5e33ea2303a1a0f0c93a52d1de7b
                  • Instruction ID: f3578f36bef69ba408e3ce036e78ce86008420aadda15caeddf5a9aca6737e66
                  • Opcode Fuzzy Hash: 35a8fbfdc8ec2a8b90e24c650f4d825c0e6e5e33ea2303a1a0f0c93a52d1de7b
                  • Instruction Fuzzy Hash: A011533008E7C08FC7478B7488A19907FB0AE0726030A46CBC880CF1B7C26D684ADB32
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017905E0 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 275 17905e0-1790620 277 1790626-1790643 275->277
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159660771.0000000001790000.00000040.00000020.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_1790000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8a0b427ec05c45b166ab060aca8933592bf6356490d42639c4085f982a22d27
                  • Instruction ID: e44961dd07b2168b44a091eb4c8a001623f642cec8ca257d6f43214f547a564c
                  • Opcode Fuzzy Hash: b8a0b427ec05c45b166ab060aca8933592bf6356490d42639c4085f982a22d27
                  • Instruction Fuzzy Hash: F70186B650D7C06FD7118F159C41862FFF8EF86620709C4EFEC498BA52D225A909CB72
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01790606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 278 1790606-1790620 279 1790626-1790643 278->279
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159660771.0000000001790000.00000040.00000020.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_1790000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab2b920421bb2c64182e3f0b662e355b41191791fa0f7f0b64c790e23fe65011
                  • Instruction ID: cb0074680e2af41e903c4d5e46b4f126fb34189be16a71548d8b4e475f4ad8bd
                  • Opcode Fuzzy Hash: ab2b920421bb2c64182e3f0b662e355b41191791fa0f7f0b64c790e23fe65011
                  • Instruction Fuzzy Hash: 0FE092B66046004B9650CF0AEC81452F7E8EB88630708C47FDC0D8BB11E636B508CAA6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A23F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 280 10a23f4-10a23ff 281 10a2412-10a2417 280->281 282 10a2401-10a240e 280->282 283 10a241a 281->283 284 10a2419 281->284 282->281 285 10a2420-10a2421 283->285
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159041079.00000000010A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10a2000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 765874a40b336e5ca5cbb355bfb096c1978ad1be14fb23d06a2cecf140bd16fe
                  • Instruction ID: dc700605a0586359b4287be506eba735f529c12bd821b91710f5c71bb1bcee28
                  • Opcode Fuzzy Hash: 765874a40b336e5ca5cbb355bfb096c1978ad1be14fb23d06a2cecf140bd16fe
                  • Instruction Fuzzy Hash: 3AD05E79205BD14FE3269A1CC6A4B953BE4AB51714F8A44F9A840CB763CB68D5D1D600
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A23BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.2159041079.00000000010A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10a2000_WindowsServices.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9e2215744fc9447589612ccf9c44969496d7af39e6751250d30660a1e4451909
                  • Instruction ID: 39e98e757d59c57df09ee593b26ae0d0acc3c4dd0ec1b025347f2f93a399a114
                  • Opcode Fuzzy Hash: 9e2215744fc9447589612ccf9c44969496d7af39e6751250d30660a1e4451909
                  • Instruction Fuzzy Hash: 43D05E352002814BDB25DA0DC2D4F597BD4AB41714F0688F8AC508B762C7B8D8C0DA00
                  Uniqueness

                  Uniqueness Score: -1.00%