Edit tour

Windows Analysis Report
G2Hseja2zK.exe

Overview

General Information

Sample name:	G2Hseja2zK.exe renamed because original name is a hash value
Original sample name:	b54147f2898416a133000ca23f2f698d.exe
Analysis ID:	1431414
MD5:	b54147f2898416a133000ca23f2f698d
SHA1:	481632cb0bc1b7e9073140a882e5412278044533
SHA256:	e2798e218dd3dc6dcef7a86a0f143acbbbb6d6b4a3aff594b1186c878fecc91a
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Disables zone checking for all users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

G2Hseja2zK.exe (PID: 5000 cmdline: "C:\Users\user\Desktop\G2Hseja2zK.exe" MD5: B54147F2898416A133000CA23F2F698D)

chargeable.exe (PID: 7300 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: C20B1DD8D71512F460DA17DE216346A5)

chargeable.exe (PID: 7340 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: C20B1DD8D71512F460DA17DE216346A5)

netsh.exe (PID: 7620 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chargeable.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: C20B1DD8D71512F460DA17DE216346A5)

chargeable.exe (PID: 7556 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: C20B1DD8D71512F460DA17DE216346A5)

G2Hseja2zK.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\G2Hseja2zK.exe" MD5: B54147F2898416A133000CA23F2F698D)

chargeable.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: C20B1DD8D71512F460DA17DE216346A5)

chargeable.exe (PID: 8004 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: C20B1DD8D71512F460DA17DE216346A5)

G2Hseja2zK.exe (PID: 8072 cmdline: "C:\Users\user\Desktop\G2Hseja2zK.exe" MD5: B54147F2898416A133000CA23F2F698D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Njrat_1	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3a9a:$a1: get_Registry 0x4b76:$a2: SEE_MASK_NOZONECHECKS 0x4c72:$a3: Download ERROR 0x4b38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4aca:$a5: netsh firewall delete allowedprogram "
00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4ba6:$a1: netsh firewall add allowedprogram 0x4b76:$a2: SEE_MASK_NOZONECHECKS 0x4e20:$b1: [TAP] 0x4b38:$c3: cmd.exe /c ping
00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b76:$reg: SEE_MASK_NOZONECHECKS 0x4c4e:$msg: Execute ERROR 0x4caa:$msg: Execute ERROR 0x4b38:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x4070e:$a1: get_Registry 0x417ea:$a2: SEE_MASK_NOZONECHECKS 0x418e6:$a3: Download ERROR 0x417ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4173e:$a5: netsh firewall delete allowedprogram "
00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4181a:$a1: netsh firewall add allowedprogram 0x417ea:$a2: SEE_MASK_NOZONECHECKS 0x41a94:$b1: [TAP] 0x417ac:$c3: cmd.exe /c ping
00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x417ea:$reg: SEE_MASK_NOZONECHECKS 0x418c2:$msg: Execute ERROR 0x4191e:$msg: Execute ERROR 0x417ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 7300	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 7340	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 7556	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.chargeable.exe.2d5da74.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.chargeable.exe.2d5da74.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1e9a:$a1: get_Registry 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3072:$a3: Download ERROR 0x2f38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2eca:$a5: netsh firewall delete allowedprogram "
2.2.chargeable.exe.2d5da74.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x3090:$s3: Executed As 0x3072:$s6: Download ERROR
2.2.chargeable.exe.2d5da74.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2fa6:$a1: netsh firewall add allowedprogram 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3220:$b1: [TAP] 0x2f38:$c3: cmd.exe /c ping
2.2.chargeable.exe.2d5da74.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f76:$reg: SEE_MASK_NOZONECHECKS 0x304e:$msg: Execute ERROR 0x30aa:$msg: Execute ERROR 0x2f38:$ping: cmd.exe /c ping 0 -n 2 & del
2.2.chargeable.exe.2d5da74.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2eca:$s1: netsh firewall delete allowedprogram 0x2fa6:$s2: netsh firewall add allowedprogram 0x2f38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x304e:$s4: Execute ERROR 0x30aa:$s4: Execute ERROR 0x3072:$s5: Download ERROR 0x31d6:$s6: [kl]
2.2.chargeable.exe.2d5da74.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.chargeable.exe.2d5da74.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
2.2.chargeable.exe.2d5da74.0.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
2.2.chargeable.exe.2d5da74.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
2.2.chargeable.exe.2d5da74.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
2.2.chargeable.exe.2d5da74.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
6.2.chargeable.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
6.2.chargeable.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
6.2.chargeable.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
6.2.chargeable.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
6.2.chargeable.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
6.2.chargeable.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\confuse\chargeable.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\G2Hseja2zK.exe, ProcessId: 5000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse

Snort Signatures

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 41.249.109.159

Timestamp:	04/25/24-03:05:56.035855
SID:	2825564
Source Port:	49741
Destination Port:	10000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 41.249.109.159

Timestamp:	04/25/24-03:02:13.651234
SID:	2033132
Source Port:	49741
Destination Port:	10000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 41.249.109.159

Timestamp:	04/25/24-03:05:56.800473
SID:	2814860
Source Port:	49741
Destination Port:	10000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G2Hseja2zK.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Avira: detection malicious, Label: HEUR/AGEN.1305435

Found malware configuration

Source: 00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for submitted file

Source: G2Hseja2zK.exe	Virustotal: Detection: 85%			Perma Link
Source: G2Hseja2zK.exe	ReversingLabs: Detection: 95%

Yara detected Njrat

Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: G2Hseja2zK.exe

Joe Sandbox ML: detected

Source: G2Hseja2zK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: G2Hseja2zK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 41.249.109.159:10000
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49741 -> 41.249.109.159:10000
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49741 -> 41.249.109.159:10000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: doddyfire.linkpc.net

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 41.249.109.159:10000

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Code function: 3_2_00F7A186 recv,

3_2_00F7A186

Source: global traffic

DNS traffic detected: DNS query: doddyfire.linkpc.net

Source: chargeable.exe, 00000003.00000002.4067739688.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: chargeable.exe, 00000003.00000002.4067739688.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_04FC0EE6 NtWriteVirtualMemory,	2_2_04FC0EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_04FC0E3E NtResumeThread,	2_2_04FC0E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_04FC0DFA NtResumeThread,	2_2_04FC0DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_04FC0EB9 NtWriteVirtualMemory,	2_2_04FC0EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_04F22DF6 NtQuerySystemInformation,	3_2_04F22DF6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_04F22DBB NtQuerySystemInformation,	3_2_04F22DBB
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_06C50EE6 NtWriteVirtualMemory,	4_2_06C50EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_06C50E3E NtResumeThread,	4_2_06C50E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_06C50DFA NtResumeThread,	4_2_06C50DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_06C50EB9 NtWriteVirtualMemory,	4_2_06C50EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_04C40EE6 NtWriteVirtualMemory,	12_2_04C40EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_04C40E3E NtResumeThread,	12_2_04C40E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_04C40DFA NtResumeThread,	12_2_04C40DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_04C40EB9 NtWriteVirtualMemory,	12_2_04C40EB9

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Code function: 3_2_011C2450

3_2_011C2450

Source: G2Hseja2zK.exe, 00000000.00000002.1698866723.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000000.1604491951.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe0 vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1699904523.00000000054E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameb6052.dll4 vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1698866723.0000000001054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1.exe0 vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1699695028.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1.exe0 vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1699570403.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1699570403.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1699570403.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -lU,\\StringFileInfo\\000004B0\\OriginalFilenameL.l vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000002.1699570403.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb6052.dll4 vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000000.00000000.1604514100.0000000000A9E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe0 vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000009.00000002.1882363650.0000000002796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000009.00000002.1882363650.0000000002796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 00000009.00000002.1882363650.0000000002796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -lU,\\StringFileInfo\\000004B0\\OriginalFilenameL.l vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 0000000E.00000002.2043362488.0000000003596000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 0000000E.00000002.2043362488.0000000003596000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe, 0000000E.00000002.2043362488.0000000003596000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -lU,\\StringFileInfo\\000004B0\\OriginalFilenameL.l vs G2Hseja2zK.exe
Source: G2Hseja2zK.exe	Binary or memory string: OriginalFilename1.exe0 vs G2Hseja2zK.exe

Source: G2Hseja2zK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: G2Hseja2zK.exe, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: chargeable.exe.0.dr, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: 0.2.G2Hseja2zK.exe.41e2b10.1.raw.unpack, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: 0.2.G2Hseja2zK.exe.41c7ef0.2.raw.unpack, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@16/4@1/1

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_04F22912 AdjustTokenPrivileges,		3_2_04F22912
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_04F228DB AdjustTokenPrivileges,		3_2_04F228DB

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

File created: C:\Users\user\AppData\Roaming\confuse

Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Mutant created: \Sessions\1\BaseNamedObjects\e1a87040f2026369a233f9ae76301b7b
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: G2Hseja2zK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: G2Hseja2zK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G2Hseja2zK.exe	Virustotal: Detection: 85%
Source: G2Hseja2zK.exe	ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

File read: C:\Users\user\Desktop\G2Hseja2zK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G2Hseja2zK.exe "C:\Users\user\Desktop\G2Hseja2zK.exe"
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\G2Hseja2zK.exe "C:\Users\user\Desktop\G2Hseja2zK.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: unknown	Process created: C:\Users\user\Desktop\G2Hseja2zK.exe "C:\Users\user\Desktop\G2Hseja2zK.exe"
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Section loaded: shfolder.dll

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: G2Hseja2zK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: G2Hseja2zK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: G2Hseja2zK.exe	Static PE information: section name: .l2
Source: chargeable.exe.0.dr	Static PE information: section name: .l2

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

File created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse			Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain			Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain	Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 1420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 14E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 4C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 4CD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1340000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 5520000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: A80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 48F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 2C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: FA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 17F0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 3570000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Memory allocated: 5570000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 3708	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 5140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: foregroundWindowGot 1758	Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe TID: 4348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7344	Thread sleep count: 594 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7344	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7724	Thread sleep count: 3708 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7344	Thread sleep count: 5140 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7344	Thread sleep time: -5140000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe TID: 7796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 8040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\G2Hseja2zK.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Thread delayed: delay time: 922337203685477

Source: G2Hseja2zK.exe, 00000000.00000002.1698866723.0000000001054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R'
Source: chargeable.exe, 00000003.00000002.4067739688.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1808794592.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 0.2.G2Hseja2zK.exe.54e0000.3.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 0.2.G2Hseja2zK.exe.321c09c.0.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 2.2.chargeable.exe.2cec2fc.1.raw.unpack, D.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 0.2.G2Hseja2zK.exe.54e0000.3.raw.unpack, D.cs	Reference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, (uint)(ptr2 + 80), 12288u, 64u)
Source: 0.2.G2Hseja2zK.exe.54e0000.3.raw.unpack, D.cs	Reference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, (uint)(ptr2 + 84), IntPtr.Zero)
Source: 0.2.G2Hseja2zK.exe.54e0000.3.raw.unpack, D.cs	Reference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior

Source: chargeable.exe, 00000003.00000002.4068962832.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4068962832.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4068962832.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: chargeable.exe, 00000003.00000002.4068962832.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4068962832.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, chargeable.exe, 00000003.00000002.4068962832.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9l

Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G2Hseja2zK.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.2d5da74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	212 Process Injection	31 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	212 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
G2Hseja2zK.exe	86%	Virustotal		Browse
G2Hseja2zK.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
G2Hseja2zK.exe	100%	Avira	HEUR/AGEN.1305435
G2Hseja2zK.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\confuse\chargeable.exe	100%	Avira	HEUR/AGEN.1305435
C:\Users\user\AppData\Roaming\confuse\chargeable.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://go.microsoft.	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
doddyfire.linkpc.net	41.249.109.159	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
doddyfire.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoft.	chargeable.exe, 00000003.00000002.4067739688.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	chargeable.exe, 00000003.00000002.4067739688.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	G2Hseja2zK.exe, 00000000.00000002.1700058612.0000000006702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
41.249.109.159	doddyfire.linkpc.net	Morocco		36903	MT-MPLSMA	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431414
Start date and time:	2024-04-25 03:01:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	G2Hseja2zK.exe renamed because original name is a hash value
Original Sample Name:	b54147f2898416a133000ca23f2f698d.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@16/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 233 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:01:56	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
02:02:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\G2Hseja2zK.exe
02:02:14	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
02:02:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\G2Hseja2zK.exe
03:02:44	API Interceptor	1071293x Sleep call for process: chargeable.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
doddyfire.linkpc.net	vP53Ohx5q0.exe	Get hash	malicious	Njrat	Browse	187.177.82.222
	9hYKnCVqcI.exe	Get hash	malicious	Njrat	Browse	196.74.150.120
	SjMIbKjuDL.exe	Get hash	malicious	Njrat	Browse	41.248.119.194
	ctVXvVgUrO.exe	Get hash	malicious	Njrat	Browse	41.249.48.248
	j76l1AiIHm.exe	Get hash	malicious	Njrat	Browse	41.249.48.248
	QpcOa13BU1.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	z9gxPEpWws.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	7Hr9O6jK2l.exe	Get hash	malicious	Njrat	Browse	41.249.108.177
	tuYTv9rjMX.exe	Get hash	malicious	Njrat	Browse	160.178.39.123
	eDafoy5XIk.exe	Get hash	malicious	Njrat	Browse	160.178.39.123

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MT-MPLSMA	xzk9TKqNoI.elf	Get hash	malicious	Mirai	Browse	105.155.31.14
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	41.249.64.224
	YKLjlQEZKY.elf	Get hash	malicious	Mirai	Browse	41.140.123.187
	pJNcZyhUh8.elf	Get hash	malicious	Mirai	Browse	41.140.123.136
	jPLqxoxi1w.elf	Get hash	malicious	Mirai	Browse	160.180.17.127
	42EYULJ8y1.elf	Get hash	malicious	Mirai	Browse	41.143.204.151
	tajma.x86-20240422-0535.elf	Get hash	malicious	Mirai, Okiru	Browse	41.250.5.191
	tajma.arm7-20240421-1029.elf	Get hash	malicious	Mirai, Okiru	Browse	41.251.80.166
	9hYKnCVqcI.exe	Get hash	malicious	Njrat	Browse	196.74.150.120
	JdnjRc1VGX.elf	Get hash	malicious	Mirai	Browse	41.248.100.185

Process:	C:\Users\user\Desktop\G2Hseja2zK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.20595142366915
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
MD5:	2452328391F7A0B3C56DDF0E6389513E
SHA1:	6FE308A325AE8BFB17DE5CAAF54432E5301987B6
SHA-256:	2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
SHA-512:	AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.20595142366915
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
MD5:	2452328391F7A0B3C56DDF0E6389513E
SHA1:	6FE308A325AE8BFB17DE5CAAF54432E5301987B6
SHA-256:	2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
SHA-512:	AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Download File

Process:	C:\Users\user\Desktop\G2Hseja2zK.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	109632
Entropy (8bit):	5.88357460793866
Encrypted:	false
SSDEEP:	1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoNQe:w5eznsjsguGDFqGx8egoNQe
MD5:	C20B1DD8D71512F460DA17DE216346A5
SHA1:	823572DD58E3C87C6ADE599D6A520D3440E70E6C
SHA-256:	9A45D1A9E0A2B38D1EA5A9B674A9D4345C94D029FBA6A55953DE9EDE16F1F9EF
SHA-512:	7F92738E5E4B72B84AAAEC267A86813561342DCFA91A4D5D7D9980526EADDB26BB52349367AC15E94E5701B1D4A73CD8E18FE3C522EB0C3883AEC27C861E4CF5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...dv... ...x.................. ..`.rsrc...H............\|..............@..@.reloc..............................@..B.l2.................................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.881725228050034
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	G2Hseja2zK.exe
File size:	109'568 bytes
MD5:	b54147f2898416a133000ca23f2f698d
SHA1:	481632cb0bc1b7e9073140a882e5412278044533
SHA256:	e2798e218dd3dc6dcef7a86a0f143acbbbb6d6b4a3aff594b1186c878fecc91a
SHA512:	0eacf4f94c7de892ddf9357a54b49489723d4c04e3c6652adf98542f5734d932808a253ede96e4c0797d9adb37e07723be847c78233317c7c854752115c7769d
SSDEEP:	1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoNJ:w5eznsjsguGDFqGx8egoNJ
TLSH:	E2B3EB387D952133C67EC1F689E50A8AEB69223F3191E9ED4CA742C418B2F166DC1D1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41965e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B1EAC53 [Mon Jun 11 17:07:31 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19608	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0x400	.l2
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x17664	0x17800	7acd957f3266ee65ab01391ebf758013	False	0.46648520611702127	data	5.649987526076151	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x348	0x400	2f8c2571ca02df8c52b2a03fcee90517	False	0.37109375	data	2.7512174114856074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	5219651ec1890b5711996a05a6f4ed37	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.l2	0x1e000	0x400	0x400	8821bc5ab10b630550f47d3029855e20	False	0.3720703125	data	2.7512174114856074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1e060	0x2ec	data			0.4625668449197861

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-03:05:56.035855	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49741	10000	192.168.2.4	41.249.109.159
04/25/24-03:02:13.651234	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	10000	192.168.2.4	41.249.109.159
04/25/24-03:05:56.800473	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49741	10000	192.168.2.4	41.249.109.159

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 03:02:13.297458887 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:13.556737900 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:13.556890011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:13.651233912 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:14.233884096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:14.494678974 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:19.187455893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:19.780657053 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:19.832318068 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:19.836349010 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:20.042396069 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:20.421309948 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:20.684209108 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:27.999983072 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:28.593190908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:28.851892948 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:36.125011921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:36.610733986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:37.892231941 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:37.892579079 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:38.406138897 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:55.962034941 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:02:55.962465048 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:02:56.555083036 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:12.126086950 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:12.587655067 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:13.234129906 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:13.784476995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:14.025302887 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:14.025628090 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:14.562385082 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:16.671761990 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:17.137422085 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:17.137521029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:17.658423901 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:19.359595060 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:19.896449089 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:19.896528959 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:20.373616934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:20.476274014 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:20.479183912 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:20.633645058 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:20.635251045 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:20.896881104 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:20.896994114 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:21.291645050 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:21.357567072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:21.357790947 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:21.594892025 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:21.595057011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:21.836782932 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:21.857647896 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:21.857990980 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:22.099117041 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:22.099195957 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:22.364173889 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:22.364373922 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:22.624248028 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:22.624438047 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:22.968044996 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.157715082 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:23.157932043 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.226589918 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:23.226814985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.476881981 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.493424892 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:23.493571997 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.710475922 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.734350920 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:23.734631062 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.943380117 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.953883886 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:23.953984976 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:23.969513893 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:23.969607115 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.192775965 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.193094015 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.202351093 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.202505112 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.225733995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.225817919 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.461345911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.461483955 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.634046078 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.686012030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.686100006 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.861061096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.898652077 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.898895025 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:24.944490910 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:24.944582939 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.123223066 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:25.123348951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.203138113 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:25.203269005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.446962118 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.462811947 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:25.463006973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.698060989 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.706384897 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:25.926047087 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:25.960813046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:25.960937977 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.208772898 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.211678982 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:26.211766005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.231648922 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:26.231770039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.432611942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.525543928 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:26.530915976 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.574229002 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:26.577086926 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.732194901 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:26.733711004 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:26.837852955 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:26.837949991 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:27.024091959 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:27.098346949 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:27.101275921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:27.285636902 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:27.289171934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:27.550740957 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:27.550889969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:27.767677069 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:27.953351974 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.084204912 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:28.084450006 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.219588041 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:28.219832897 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.405757904 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:28.409543037 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.608150005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.621611118 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:28.625149012 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.753139973 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:28.757129908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:28.985397100 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.032929897 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:29.033035040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.050440073 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:29.050668955 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.244524956 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:29.244642973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.308912992 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:29.309058905 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.510139942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.568589926 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:29.569118023 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.769355059 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:29.769448042 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:29.979023933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.021245003 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.025238991 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.237715006 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.241214991 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.283375025 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.285363913 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.486629963 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.500792980 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.500956059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.696213961 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.748282909 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.748367071 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:30.758672953 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.965512037 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:30.965598106 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:31.233859062 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:31.304311991 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:31.304416895 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:31.493935108 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:31.494038105 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:31.755167007 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:31.779016018 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:31.780955076 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:32.022958994 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:32.025147915 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:32.090961933 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:32.093463898 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:32.342942953 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:32.368181944 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:32.368387938 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:32.604599953 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:32.604739904 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:32.821333885 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:32.821410894 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.019445896 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.080468893 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:33.080585003 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.277447939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:33.277544022 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.516161919 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.535514116 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:33.537075043 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.775073051 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:33.831043959 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:33.831233978 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:34.039710045 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:34.041079044 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:34.099402905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:34.101241112 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:34.328720093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:34.362015963 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:34.362102032 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:34.591483116 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:34.591607094 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:34.853544950 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:34.853611946 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:35.265120983 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:35.358500004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:35.358602047 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:35.523761034 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:35.619271994 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:35.944325924 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.293327093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.327644110 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.442365885 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:36.442472935 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.552381992 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:36.552648067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.674381971 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:36.674499989 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.707345009 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:36.707422972 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:36.931164980 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:36.931304932 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:37.189436913 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:37.189568996 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:37.434840918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:37.623549938 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:37.692290068 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:37.692452908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:37.881318092 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:37.881400108 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:37.952177048 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:37.952363014 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.123271942 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:38.123370886 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.209606886 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:38.209692001 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.471625090 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:38.471718073 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.728966951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.921474934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.951308012 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:38.951426029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:38.994415998 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:38.994529009 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.183470964 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:39.183712006 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.223289967 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:39.223387003 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.409521103 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.442318916 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:39.442440033 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.656807899 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.772454023 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:39.772564888 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.790414095 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:39.790508032 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:39.919301987 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:39.919414043 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.052468061 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:40.052547932 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.178385973 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:40.178468943 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.439126968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.450304985 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:40.453325033 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.696171045 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.734324932 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:40.737083912 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.915569067 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:40.917093039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:40.955305099 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:40.955441952 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.139493942 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:41.141002893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.218408108 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:41.221187115 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.415549040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.496426105 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:41.496534109 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.718532085 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:41.718625069 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.945230961 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:41.955440998 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:41.955511093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.150029898 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.204729080 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.204866886 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.212496042 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.212572098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.403604031 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.407344103 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.411190987 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.475362062 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.479073048 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.661331892 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.663233042 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.736480951 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.739090919 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.961024046 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:42.997266054 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:42.999567032 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.203527927 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.222315073 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:43.225094080 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.425786018 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.467655897 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:43.467750072 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.487363100 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:43.487411976 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.685476065 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:43.685566902 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:43.758373022 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:43.758445024 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.014333963 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.016527891 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:44.229103088 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.273438931 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:44.273583889 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.489762068 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:44.493542910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.706206083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.748428106 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:44.749499083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:44.972400904 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:44.973315001 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.008389950 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:45.009514093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.232646942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.280261993 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:45.280363083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.496424913 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:45.496525049 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.697515011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.746422052 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:45.746535063 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:45.962697983 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:45.962886095 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.005589962 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:46.005724907 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.249512911 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.265326977 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:46.265477896 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.517731905 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.521348953 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:46.742650032 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.755386114 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:46.755543947 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:46.777659893 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:46.777789116 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.004462004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:47.004678011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.037606955 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:47.037708998 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.245414019 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.301496029 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:47.301610947 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.488033056 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.560483932 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:47.563100100 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.783921957 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.819660902 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:47.819794893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:47.874471903 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:47.874569893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.043728113 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:48.046567917 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.137722015 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:48.139111996 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.323654890 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.396562099 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:48.396658897 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.585455894 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:48.585583925 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.741936922 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:48.843556881 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:48.843673944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.010524035 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:49.010620117 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.216583014 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.287650108 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:49.287796021 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.476485968 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:49.479098082 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.685269117 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.738611937 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:49.739161015 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:49.944600105 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:49.947175980 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.185688972 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.204479933 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:50.419522047 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.443633080 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:50.446197033 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.644022942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.685447931 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:50.690421104 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.904239893 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:50.907102108 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:50.951600075 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:50.953207970 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.206183910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.211420059 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:51.215091944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.392735958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.500644922 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:51.500782967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.677695036 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:51.677782059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.772461891 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:51.772542000 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:51.988624096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:52.029443026 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:52.029551983 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:52.218204021 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:52.271698952 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:52.271886110 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:52.476629972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:52.478104115 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:52.541769028 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:52.546536922 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:52.804737091 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:52.805145979 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:53.140145063 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:53.319575071 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:53.323127985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:53.399795055 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:53.581815004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:54.379947901 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:54.610774040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:54.687061071 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:54.872703075 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:54.872838974 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:54.945681095 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:54.945759058 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:55.144905090 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:55.144984007 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:55.403696060 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:55.403810024 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:55.765204906 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:55.939543962 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:55.939656973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.052587986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:56.052820921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.198642969 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:56.198765039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.372268915 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.470748901 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:56.470848083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.634710073 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:56.634804964 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.894949913 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:56.914581060 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:56.914661884 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.123625040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.157603979 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:57.157712936 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.376265049 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.453753948 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:57.453886986 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.456629038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:57.456710100 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.636784077 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:57.637027025 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.742801905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:57.743026018 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:57.935966969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.000775099 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:58.001081944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.195683002 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:58.195801020 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.394720078 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.453648090 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:58.453811884 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.654638052 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:58.654725075 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.868787050 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:58.911551952 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:58.911658049 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.124522924 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.126730919 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:59.126823902 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.186635017 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:59.186774969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.383707047 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:59.383950949 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.444786072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:59.445168972 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.671485901 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.702650070 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:59.705221891 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.902777910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:03:59.930584908 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:03:59.932771921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.139056921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.161720991 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.161967993 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.189507008 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.189569950 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.381315947 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.398816109 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.398901939 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.450820923 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.450915098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.639808893 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.639965057 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.712770939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.712852955 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.877728939 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:00.970643997 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:00.970782042 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.138600111 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:01.138839006 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.375145912 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.396589994 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:01.396706104 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.607837915 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.634557962 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:01.634653091 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.864718914 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:01.864845037 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:01.891791105 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:01.891875982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:02.085458994 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:02.149928093 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:02.150182962 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:02.343715906 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:02.343863010 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:02.515050888 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:02.600781918 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:02.603115082 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:02.777813911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:02.781095982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.010931015 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.039722919 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:03.041666985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.206218958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.275780916 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:03.277220011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.467571974 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:03.467654943 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.537507057 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:03.537709951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.761116028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.795795918 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:03.796111107 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:03.982007027 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.019805908 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.019891977 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.237215042 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.243026972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.243237972 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.281639099 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.281723022 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.463141918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.495767117 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.495877028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.538685083 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.538909912 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.724694014 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.724798918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:04.800851107 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:04.801062107 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.065845966 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:05.065936089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.306166887 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.374666929 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.379841089 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:05.380095005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.568726063 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:05.571194887 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.639818907 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:05.643098116 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.644722939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:05.897912979 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:05.900659084 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:06.107183933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:06.162844896 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:06.163266897 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:06.367827892 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:06.367917061 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:06.588419914 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:06.628689051 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:06.628906012 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:06.833060026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:06.846816063 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:06.846894979 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.103698969 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:07.103806019 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.132900000 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:07.133002996 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.360490084 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.390736103 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:07.391084909 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.608711958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.618577957 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:07.618786097 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.817245007 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.870623112 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:07.870871067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:07.876859903 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:07.876924038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.076654911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:08.076740980 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.135938883 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:08.136048079 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.229857922 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:08.230009079 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.395750046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:08.395865917 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.617356062 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.654937983 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:08.655073881 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:08.875740051 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:08.875979900 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.087994099 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.116949081 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:09.117059946 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.338913918 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:09.339137077 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.346810102 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:09.346963882 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.588717937 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:09.591180086 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.605758905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:09.607347012 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.846256018 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:09.864892006 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:09.865030050 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.085887909 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.110001087 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:10.111079931 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.310960054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.321716070 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:10.321770906 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.360925913 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:10.361121893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.586816072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:10.587042093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.603683949 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:10.603786945 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.842664003 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:10.842813969 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:10.860937119 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:11.101703882 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:11.101799011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:11.241959095 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:11.242069960 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:11.522757053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:11.522839069 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:11.793775082 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:12.045768023 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:12.045866013 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:12.061758995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:12.696926117 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:12.697031021 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:13.002613068 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:13.300189972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:13.300276995 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:13.301800013 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:13.590903044 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:13.842927933 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:13.843008995 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:13.848834038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:14.170324087 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:14.253985882 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:14.254157066 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:14.442807913 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:14.443068027 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:14.664916039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:14.704725027 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:14.704880953 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:14.906687975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:14.925745010 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:14.925899029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:15.139888048 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:15.206876040 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:15.206983089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:15.212816954 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:15.212886095 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:15.425928116 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:15.426158905 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:15.471859932 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:15.472037077 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:15.730967999 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:15.731055021 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.042980909 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.249448061 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:16.249623060 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.301783085 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:16.301923990 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.534173012 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.581873894 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:16.582076073 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.786283970 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.793961048 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:16.794101954 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:16.985297918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.045882940 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.045990944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.056462049 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.246073961 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.246208906 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.265897989 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.266112089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.497741938 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.513968945 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.514164925 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.750941038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.751087904 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:17.765938997 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:17.766009092 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.007385969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.038893938 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:18.039076090 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.245063066 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:18.245161057 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.277833939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:18.277940035 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.480122089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.503072023 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:18.506184101 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.740026951 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:18.741604090 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.762873888 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:18.765093088 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:18.977190971 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:19.021820068 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:19.025139093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:19.205357075 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:19.237749100 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:19.241432905 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:19.473144054 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:19.473259926 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:19.498872042 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:19.819942951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:19.943753004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:19.943923950 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:20.078857899 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:20.079094887 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:20.278002024 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:20.278141022 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:20.536293030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:20.536422014 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:20.770791054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:21.028892040 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:21.029159069 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:21.246638060 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:21.246763945 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:21.511212111 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:21.511404991 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:21.911840916 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:22.042948008 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:22.043163061 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:22.175012112 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:22.175188065 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:22.402607918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:22.433949947 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:22.434058905 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:22.661931992 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:22.662046909 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:22.893065929 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:22.893167973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:23.117981911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:23.118190050 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:23.286083937 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:23.286292076 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:23.544933081 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:23.545068026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:23.913296938 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.006906986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:24.006988049 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.181201935 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:24.181319952 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.438915968 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:24.439064980 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.655519009 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.874102116 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.897073984 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:24.899094105 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:24.915963888 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:24.919090986 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:25.141444921 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:25.143102884 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:25.185141087 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:25.187076092 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:25.418975115 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:25.463139057 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:25.463229895 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:25.680006027 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:25.680128098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:25.924026966 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:25.924122095 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:26.165932894 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:26.166066885 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:26.297384977 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:26.297718048 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:26.516922951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:26.556902885 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:26.557022095 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:26.775007963 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:26.775233984 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:26.989886045 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:27.034110069 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:27.034261942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:27.255234003 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:27.255445957 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:27.492000103 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:27.515355110 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:27.515441895 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:27.772285938 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:27.772393942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:27.776031017 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:27.980840921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.041203976 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:28.041275024 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.239245892 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:28.239465952 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.458724022 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.498250008 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:28.499600887 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.703444004 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.718112946 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:28.721956968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.955276012 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:28.957281113 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:28.965173960 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:28.968239069 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:29.178468943 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:29.183098078 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:29.224981070 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:29.225399971 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:29.308990002 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:29.309185028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:29.484204054 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:29.484317064 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:29.757168055 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:29.757241964 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:30.249159098 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:30.249304056 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:30.749036074 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:30.749114037 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:31.053409100 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:31.251157999 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:31.251250029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:31.312035084 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:31.312150955 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:31.575139046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:31.577121973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:32.049360037 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:32.049460888 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:32.322272062 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:32.323081017 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:32.519047022 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:32.519134998 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:32.742288113 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:32.778049946 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:32.778152943 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:33.086247921 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:33.086349010 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:33.321546078 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:33.321650028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:33.535512924 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:33.707077026 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:33.707174063 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:33.794007063 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:33.794085979 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.024421930 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.053045034 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:34.053145885 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.283217907 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:34.283409119 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.489509106 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.521189928 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:34.521281958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.721234083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.748022079 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:34.748114109 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.778104067 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:34.778163910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:34.979234934 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:34.983119011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.034065962 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:35.035096884 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.219348907 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.293014050 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:35.293243885 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.485230923 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:35.485316038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.696127892 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.743235111 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:35.743320942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:35.955988884 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:35.956087112 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.202094078 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.215217113 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:36.215461969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.433716059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.460145950 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:36.460242987 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.692286015 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:36.692524910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.716116905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:36.716331005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:36.978049994 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:36.978163958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.216629028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.450407028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.452785969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.474250078 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:37.474354982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.681255102 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:37.681334019 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.708079100 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:37.708157063 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.711093903 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:37.910058975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.922180891 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:37.923084021 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:37.967710972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:37.968349934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.162552118 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.170315027 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:38.171101093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.229156017 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:38.231110096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.423073053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:38.427223921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.488095045 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:38.491091013 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.735655069 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:38.747390032 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:38.747478008 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:39.000021935 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:39.000106096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:39.204034090 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:39.204129934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:39.452342987 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:39.452836037 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:39.678575993 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:39.712187052 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:39.712444067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:39.942257881 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:39.942388058 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:40.208110094 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:40.208249092 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:40.438214064 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:40.662230015 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:40.662357092 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:40.696124077 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:40.696196079 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:40.939486980 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:40.953109026 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:40.953181028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:41.202187061 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:41.202428102 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:41.423348904 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:41.423476934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:41.653126955 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:41.655124903 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:41.882389069 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:41.882472992 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:42.118874073 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:42.144319057 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:42.147177935 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:42.381618977 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:42.383131027 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:42.642720938 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:42.642891884 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:42.912421942 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:43.152447939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:43.152699947 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:43.175339937 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:43.175585032 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:43.432255030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:43.432383060 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:43.724308968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:43.953514099 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:43.953844070 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:43.986403942 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:43.986509085 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:44.245393038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:44.245646954 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:44.606933117 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:44.753314972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:44.753510952 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:44.865293026 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:44.865473032 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:45.125607967 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:45.125693083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:45.384752989 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:45.627331018 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:45.649393082 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:45.650136948 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:45.821844101 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:45.852140903 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:45.855093002 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.081289053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.082103968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.082133055 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.082185030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.091543913 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.093497038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.122129917 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.127224922 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.333431959 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.333431959 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.356230021 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.356293917 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.373270988 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.375226974 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.385287046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.390463114 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.591376066 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.591536045 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:46.850373983 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:46.850521088 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:47.119769096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:47.333445072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:47.333550930 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:47.378294945 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:47.378427982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:47.639339924 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:47.643143892 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:48.110326052 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:48.113141060 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:48.487704039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:48.573550940 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:48.573652983 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:48.747567892 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:48.747713089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:49.005384922 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:49.593887091 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:49.951759100 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:50.042426109 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:50.042531967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:50.210541964 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:50.210671902 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:50.371265888 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:50.371438026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:50.630512953 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:50.630767107 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:51.037009001 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:51.096378088 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:51.096628904 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:51.294518948 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:51.494234085 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:51.562495947 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:51.562582016 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:51.753608942 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:51.753726006 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:51.978765965 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:52.011509895 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:52.011657000 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:52.238323927 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:52.238452911 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:52.445200920 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:52.472903013 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:52.473171949 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:52.703249931 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:52.703341007 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:52.704998970 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:52.931540966 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:52.931617975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.169965029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.172506094 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:53.387598991 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:53.387691975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.428447008 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:53.428529978 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.637861013 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.685705900 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:53.687222958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.902268887 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:53.902492046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:54.157426119 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:54.162297010 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:54.165997028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:54.378607035 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:54.383111000 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:54.418436050 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:54.419128895 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:54.644906044 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:54.645019054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:54.894911051 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:54.905570030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:54.905678034 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.112324953 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.175487995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:55.175605059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.371378899 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:55.371622086 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.433621883 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:55.433845043 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.632642031 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.696791887 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:55.697130919 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:55.892455101 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:55.893266916 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.124983072 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.152427912 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:56.153805017 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.369544029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.402565002 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:56.402662039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.403470039 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:56.632544041 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:56.635288954 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.663502932 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:56.663564920 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.888753891 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:56.921638966 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:56.921978951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:57.150684118 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:57.155137062 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:57.348835945 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:57.413845062 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:57.415124893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:57.612541914 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:57.612726927 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:57.845113039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:57.882550001 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:57.882885933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.099133968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.103621960 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:58.293538094 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.337740898 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:58.337817907 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.358556986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:58.358637094 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.552977085 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:58.553292036 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.617491961 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:58.621510029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.852627993 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:58.879780054 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:58.881282091 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.076529026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.111408949 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.113233089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.298572063 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.334650993 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.335606098 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.335697889 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.420794010 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.421636105 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.618985891 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.679733038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.679857969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.708662033 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.708898067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:04:59.880492926 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:04:59.880590916 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.014765024 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:00.014842987 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.252487898 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.351398945 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:00.351716995 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.516402006 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:00.516849041 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.752293110 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.791686058 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:00.793401003 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:00.996392965 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.012474060 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:01.012820005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.255728960 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:01.259224892 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.272960901 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:01.275278091 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.456063986 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.540585995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:01.541439056 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.740614891 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:01.740716934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.959111929 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:01.993544102 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:01.993653059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.205503941 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.205636024 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.218626976 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.218790054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.399050951 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.426795006 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.426958084 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.477597952 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.477706909 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.659498930 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.661663055 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.735681057 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.735754013 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.988924980 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:02.996938944 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:02.997124910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.195858955 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.247765064 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:03.249660969 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.457552910 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:03.457748890 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.507597923 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:03.507680893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.723301888 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.765463114 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:03.767215967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:03.984671116 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:03.987363100 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.206923962 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.247924089 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:04.251380920 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.451129913 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.466713905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:04.467112064 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.697041035 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.713016987 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:04.713327885 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.736872911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:04.736968040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.959786892 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:04.962908983 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:04.997999907 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:04.998075008 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:05.220947981 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:05.221385956 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:05.436506033 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:05.436640024 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:05.677962065 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:05.678075075 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:05.897835970 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:05.897969961 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.128031015 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.138622999 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:06.138880968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.360085964 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.386703014 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:06.386883974 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.402760029 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:06.402841091 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.677627087 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:06.677913904 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.723865986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:06.723958015 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:06.981812000 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:06.981937885 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:07.546478033 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:07.688710928 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:07.689083099 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:07.870899916 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:07.950773954 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:08.448009968 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:08.499692917 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:08.962053061 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:09.023466110 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:09.023590088 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:09.482543945 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:09.515494108 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:09.614743948 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:09.615006924 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:09.872402906 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.073693037 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.073874950 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.077645063 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.077744007 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.080306053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.255853891 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.256139040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.480072021 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.627850056 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.628024101 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.738658905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.738780975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.739479065 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:10.836194038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:10.836194038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.082866907 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.093497992 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.093612909 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.102699041 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.102808952 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.378829956 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.379065037 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.462779045 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.462873936 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.699733019 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.855823040 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.857119083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:11.980740070 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:11.981240034 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:12.216738939 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:12.240931988 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:12.241261005 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:12.477041960 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:12.477335930 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:12.700519085 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:12.706691027 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:12.906491041 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:12.959945917 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:12.960052967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:13.167732954 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:13.167849064 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:13.218950033 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:13.219027042 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:13.476725101 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:13.476962090 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:13.739765882 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:13.977082014 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:13.998800993 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:13.999766111 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.201853037 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:14.203300953 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.237739086 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:14.239145994 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.470047951 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:14.471195936 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.499891043 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:14.500176907 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.709754944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.757838964 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:14.758034945 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:14.969832897 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:14.969923019 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.226890087 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:15.227278948 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.470069885 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.679037094 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.688797951 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:15.691210985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.727988958 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:15.731125116 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.935508966 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:15.942651987 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:15.989833117 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:15.991138935 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:16.194952011 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:16.195290089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:16.485640049 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:16.485915899 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:16.787904024 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:16.788039923 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:17.192714930 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:17.249864101 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:17.249950886 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:17.470829010 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:17.471076965 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:17.482029915 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:17.482300043 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:17.729950905 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:17.731328011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:17.948959112 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:17.949214935 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:18.222049952 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:18.223164082 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:18.548439026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:18.749159098 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:18.749396086 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:18.807892084 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:18.808161974 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:19.065917015 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:19.066133022 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:19.443591118 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:19.549814939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:19.549933910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:19.703056097 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:19.703264952 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:19.963911057 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:19.964145899 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:20.374294043 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:20.451200962 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:20.451374054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:20.492985964 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:20.493204117 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:20.643013954 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:20.643296957 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:20.750942945 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:20.751169920 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:21.019026995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:21.021166086 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:21.283113003 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:21.287383080 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:21.511344910 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:21.748889923 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:21.749008894 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:21.772618055 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:21.772833109 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:21.998076916 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:22.032063007 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:22.032166958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:22.257846117 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:22.258054018 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:22.488004923 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:22.488142967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:22.747180939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:22.747297049 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.017769098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.208998919 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:23.209117889 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.277000904 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:23.277127028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.505019903 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:23.505331993 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.740878105 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:23.740998030 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.998645067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:23.998938084 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:24.236495018 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:24.258069038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:24.258224010 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:24.495026112 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:24.495156050 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:24.764947891 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:24.765058041 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:25.226311922 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:25.275839090 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:25.275924921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:25.485981941 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:25.486156940 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:25.741935968 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:25.742082119 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:26.222085953 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:26.222309113 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:26.513948917 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:26.541671038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:26.978688955 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:27.010014057 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:27.010282040 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:27.251064062 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:27.251147985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:27.478301048 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:27.508069992 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:27.508167982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:27.711113930 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:27.711275101 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:27.737035036 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:27.968056917 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:27.968228102 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:28.391570091 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:28.510889053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:28.511100054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:28.653927088 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:28.654062986 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:28.912996054 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:28.913091898 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:29.151829958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:29.385298967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:29.430952072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:29.431025982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:29.436197042 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:29.610954046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:29.613399982 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:29.694813013 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:29.694901943 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:29.878074884 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:29.881421089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:30.107048035 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:30.141313076 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:30.145369053 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:30.367070913 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:30.369437933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:30.609211922 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:30.609301090 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:30.868808985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:30.870131016 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:31.060416937 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.130179882 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:31.130506039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.320022106 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:31.320137978 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.539943933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.580002069 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:31.580389977 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.788566113 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.809031963 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:31.809273958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:31.997009039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.037178040 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.037290096 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.049031019 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.049248934 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.257124901 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.257278919 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.299154043 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.299236059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.512262106 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.517071009 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.517185926 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.535003901 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.535296917 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.755549908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.769896030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.772845984 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.773114920 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:32.984041929 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:32.987263918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.014149904 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:33.015240908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.220597029 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.240231991 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:33.241312027 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.273257017 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:33.277282000 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.480003119 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:33.481332064 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.535994053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:33.536077976 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.786550045 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:33.795322895 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:34.044068098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:34.045038939 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:34.286504030 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:34.303107977 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:34.303189039 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:34.517491102 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:34.545264006 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:34.545727015 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:34.781322002 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:34.781450987 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:34.804236889 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:34.804435968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.018448114 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.061170101 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:35.061393976 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.272176027 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.276309013 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:35.512425900 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.529098034 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:35.529304028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.546384096 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:35.546648026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.754371881 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:35.772984982 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:35.806916952 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:35.806976080 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.012444973 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:36.012547016 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.217236996 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.277147055 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:36.277414083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.476927042 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:36.477186918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.725339890 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.750994921 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:36.751090050 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.942167997 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:36.986015081 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:36.989512920 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.010212898 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:37.013488054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.201191902 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:37.205763102 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.298140049 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:37.301435947 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.539457083 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.561012983 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:37.561155081 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.816670895 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:37.835865974 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:37.835937023 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.076208115 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.076317072 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.093908072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.093986988 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.333949089 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.352077961 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.352210045 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.553056955 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.553278923 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.593009949 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.593120098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.799622059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:38.803925991 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.849931955 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:38.850152016 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.042730093 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.059108973 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:39.059240103 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.268610954 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.301037073 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:39.301367998 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.327117920 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:39.327469110 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.527107954 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:39.527205944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.583957911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:39.584028006 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.838876009 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:39.843035936 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:40.034974098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:40.102272987 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:40.102396011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:40.293090105 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:40.293185949 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:40.546425104 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:40.552052021 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:40.747340918 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:40.805237055 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:40.805536985 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.031944036 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:41.032038927 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.255070925 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.293092966 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:41.293174028 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.513565063 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.515117884 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:41.571063995 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:41.571146011 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.755317926 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.768115997 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:41.769188881 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.773992062 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:41.777138948 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:41.969263077 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.024185896 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.024874926 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.027067900 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.027128935 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.228084087 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.229505062 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.308916092 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.311132908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.493050098 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.495218992 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.674889088 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.751825094 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.751920938 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:42.933991909 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:42.934113979 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:43.102385044 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:43.195178986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:43.195270061 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:43.361104965 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:43.361229897 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:43.547738075 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:43.619060040 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:43.619169950 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:43.806360960 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:43.809381008 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:44.068216085 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:44.069205999 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:44.390288115 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:44.588006020 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:44.591165066 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:44.648128986 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:44.850199938 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:45.819129944 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.133908033 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.218507051 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.306211948 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:46.306395054 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.397226095 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:46.397305012 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.477161884 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:46.477221966 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.567075968 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:46.567140102 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.735095024 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:46.737134933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.952872992 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:46.995191097 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:46.997246981 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:47.213242054 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:47.217160940 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:47.456501007 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:47.474997044 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:47.477307081 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:47.587187052 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:47.589407921 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:47.878351927 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:47.878684044 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:47.909317017 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:47.909714937 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.133491993 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.168226004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:48.168541908 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.407962084 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.417560101 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:48.657485962 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.666316032 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:48.669151068 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.894609928 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:48.897345066 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:48.917195082 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:48.921889067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.145189047 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.156251907 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:49.157232046 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.394129038 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:49.399226904 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.403480053 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:49.405164957 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.658370972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:49.659157991 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.873673916 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:49.895396948 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:49.895502090 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.110583067 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.136430979 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.136733055 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.153279066 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.153393984 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.369329929 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.369437933 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.412092924 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.412157059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.600346088 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.600569010 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.669179916 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.669296026 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.883891106 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:50.930425882 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:50.930556059 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.145100117 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:51.145332098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.389589071 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.397475004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:51.397569895 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.631300926 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.647239923 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:51.647346973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.655039072 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:51.655105114 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.871375084 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:51.896385908 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:51.916512966 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:51.916589975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:52.132424116 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:52.133095980 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:52.391244888 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:52.391407967 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:52.627729893 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:52.633316040 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:52.863867998 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:52.887352943 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:52.890460968 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:53.093379974 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:53.093802929 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:53.125376940 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:53.127136946 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:53.352291107 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:53.355268002 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:53.611274004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:53.611438990 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:53.863332987 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:53.867191076 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:54.073173046 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:54.075158119 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:54.332422972 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:54.332509995 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:54.590358019 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:54.590493917 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:54.805354118 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.053231001 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.053450108 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.065325022 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.065416098 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.271131992 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.312442064 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.315211058 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.520617962 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.525425911 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.527286053 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.534281969 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.535140038 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.766525030 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.766659975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.778583050 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.778779984 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:55.802303076 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:55.802402973 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.020385027 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.035559893 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.035855055 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.258385897 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.258454084 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.281183004 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.281256914 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.513673067 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.513767958 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.540621996 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.540790081 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.623250008 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.623419046 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:56.800373077 CEST	10000	49741	41.249.109.159	192.168.2.4
Apr 25, 2024 03:05:56.800472975 CEST	49741	10000	192.168.2.4	41.249.109.159
Apr 25, 2024 03:05:57.059392929 CEST	10000	49741	41.249.109.159	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 03:02:13.164343119 CEST	62721	53	192.168.2.4	1.1.1.1
Apr 25, 2024 03:02:13.294667959 CEST	53	62721	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 03:02:13.164343119 CEST	192.168.2.4	1.1.1.1	0xa11e	Standard query (0)	doddyfire.linkpc.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 03:02:13.294667959 CEST	1.1.1.1	192.168.2.4	0xa11e	No error (0)	doddyfire.linkpc.net		41.249.109.159	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:01:49
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\G2Hseja2zK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2Hseja2zK.exe"
Imagebase:	0x7ff7699e0000
File size:	109'568 bytes
MD5 hash:	B54147F2898416A133000CA23F2F698D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:01:59
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0x640000
File size:	109'632 bytes
MD5 hash:	C20B1DD8D71512F460DA17DE216346A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.1733972249.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:02:02
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0x690000
File size:	109'632 bytes
MD5 hash:	C20B1DD8D71512F460DA17DE216346A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.4068962832.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:02:04
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0xab0000
File size:	109'632 bytes
MD5 hash:	C20B1DD8D71512F460DA17DE216346A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:02:09
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0xf70000
File size:	109'632 bytes
MD5 hash:	C20B1DD8D71512F460DA17DE216346A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000002.1850819913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:02:09
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:02:09
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:02:14
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\G2Hseja2zK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2Hseja2zK.exe"
Imagebase:	0xd0000
File size:	109'568 bytes
MD5 hash:	B54147F2898416A133000CA23F2F698D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:02:22
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0x360000
File size:	109'632 bytes
MD5 hash:	C20B1DD8D71512F460DA17DE216346A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:02:25
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0x570000
File size:	109'632 bytes
MD5 hash:	C20B1DD8D71512F460DA17DE216346A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:02:30
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\G2Hseja2zK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2Hseja2zK.exe"
Imagebase:	0xf90000
File size:	109'568 bytes
MD5 hash:	B54147F2898416A133000CA23F2F698D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	3

Executed Functions

Function 014A00D0 Relevance: 9.1, Instructions: 9145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e61b5f99a41e17c758179d397915d0ab34bd7ba689292fadf7e2c85f8284d4
Instruction ID: b17044a62de7a494300c790345417d1d77f0cc2ade0fdc9236538de4c8e5f667
Opcode Fuzzy Hash: 09e61b5f99a41e17c758179d397915d0ab34bd7ba689292fadf7e2c85f8284d4
Instruction Fuzzy Hash: 81144734600704DFD765DB30C984AEAB7B2EF89304F5188A9D55AAB360DF36AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014A00E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8489f652b8a601f2912d111286929997f3e23546bc6ba24d42a4237347ce788
Instruction ID: 974132a1a86c0f2fa7544c607769871274aa07ed2cc0ffa210a17ad6e6f64423
Opcode Fuzzy Hash: d8489f652b8a601f2912d111286929997f3e23546bc6ba24d42a4237347ce788
Instruction Fuzzy Hash: 2F144734600704DFD765DB30C984AEAB7B2EF89304F5188A9D55AAB360DF36AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014A98A0 Relevance: 2.7, Instructions: 2697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30404bf154bcabd6e4b2beaf07892e2b4d5fcd120b9d2d3ab98822f0bfcd8ebb
Instruction ID: 2c0a72f64254ab63d596d71071cae8f2688d92bfa2490510f735f4a237693f95
Opcode Fuzzy Hash: 30404bf154bcabd6e4b2beaf07892e2b4d5fcd120b9d2d3ab98822f0bfcd8ebb
Instruction Fuzzy Hash: 5E33A534304532CB8606FB22D96066F6FB6E789954318C355CA2547B84CF78FE9B8BC9

Uniqueness

Uniqueness Score: -1.00%

Function 014A9828 Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Bl, xrefs: 014A9870
\Bl, xrefs: 014A9864

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID: \Bl$\Bl
API String ID: 0-2688229348
Opcode ID: 09ddd92a773c0cb787b423f4a647969c30a36b82f56c0857a8661c269ffb26da
Instruction ID: da9812d87c4b29981e6e158fba58a1f77b921067c8cd7413b4342e751191a735
Opcode Fuzzy Hash: 09ddd92a773c0cb787b423f4a647969c30a36b82f56c0857a8661c269ffb26da
Instruction Fuzzy Hash: F1F0F631B0021097DA21A26EDC12B6E36D68BC9B54F66403FF601EB7A4DE71EC0253D6

Uniqueness

Uniqueness Score: -1.00%

Function 05380B60 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 05380C05

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 57ca9130b441dc32d1641ff3fc59591c0cdfd886ee6e9024f7f169d1351333f0
Instruction ID: bf1d35d3490a3158ba1ba08288ecd7b79c4b740dfeb59584cf03a53604e23f15
Opcode Fuzzy Hash: 57ca9130b441dc32d1641ff3fc59591c0cdfd886ee6e9024f7f169d1351333f0
Instruction Fuzzy Hash: 6D3190B15053806FE722CF65CC44FA6BBF8EF05224F08849AE989CB652D365E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F8AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00F8ACD1

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5b8516bedf15bbe04efe9fdbdbed43e21a0d3fc57bba5e13babaf9cb0bf535e7
Instruction ID: 3a4453ebb478b3255841b667d7867214a099dcd4d310ce2b24b2b3d4ae7e7227
Opcode Fuzzy Hash: 5b8516bedf15bbe04efe9fdbdbed43e21a0d3fc57bba5e13babaf9cb0bf535e7
Instruction Fuzzy Hash: 20319372504384AFE7228B55CC45FA7BFB8EF06710F08849BE9858B652D264E94DCB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F8AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 00F8ADD4

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33f0b6e383375016990afac33245204b1f8844bba91bdf663a21cb1785b5a03b
Instruction ID: aa39de82f1ae541d53cb93040e328336b8e33d8d6e54b3be557d8e912016be8a
Opcode Fuzzy Hash: 33f0b6e383375016990afac33245204b1f8844bba91bdf663a21cb1785b5a03b
Instruction Fuzzy Hash: 123195765097845FE722CB21CC45FA2BFF8EF06324F08849AE945CB552D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05380F83 Relevance: 1.6, APIs: 1, Instructions: 81
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 05381030

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5a8c58191f73b076416b53f9d8cb7ea31159ea7792b2d73be4edb20de5432cd7
Instruction ID: 2b134a692328f1e2f402536b88f96f3c2c538edeb60dec9ac74767452e605701
Opcode Fuzzy Hash: 5a8c58191f73b076416b53f9d8cb7ea31159ea7792b2d73be4edb20de5432cd7
Instruction Fuzzy Hash: 7921D2B15087806FE722CB15DC44FA3BFB8EF06314F08849AE9859B693D364E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00F8A346

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc92a5e16897cf53fb016e2b458d23fae0b2241284f97a3860b803bcf93a3684
Instruction ID: 87532f8085cc6c32cbf9a4dc1921f9e3d7d6f14c3473b52f6ffdd20d245868c8
Opcode Fuzzy Hash: bc92a5e16897cf53fb016e2b458d23fae0b2241284f97a3860b803bcf93a3684
Instruction Fuzzy Hash: 1E21C57150D3C06FD3138B259C51B62BFB8EF87620F0A40CBE884CB693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05380B86 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 05380C05

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3ab4862e99138bfc45437bb68c0dd7f19f9833ba0d9b8730b97791c835329347
Instruction ID: 13f7a69bac2ce93884b6c3e6a460f4cd3121e85d19a63126e5d7d7562ef60707
Opcode Fuzzy Hash: 3ab4862e99138bfc45437bb68c0dd7f19f9833ba0d9b8730b97791c835329347
Instruction Fuzzy Hash: 6121BC71604300AFEB25DF65CD49B66FBE8EF08324F088869E9498B651D371E408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F8AC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00F8ACD1

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f99f81c926dd769122f76ff607d438e19e600e96ba02dd850ad7d2c7ab53953c
Instruction ID: bfb73fe7693d07a94fc85f5c84e5fa2a08a8d54f1e0fc9c8b8d89f0e772830d5
Opcode Fuzzy Hash: f99f81c926dd769122f76ff607d438e19e600e96ba02dd850ad7d2c7ab53953c
Instruction Fuzzy Hash: 3B21CD72900604AFEB21AB55CD44FEBFBECEF18724F04845AE945CB651D324E94C8BB2

Uniqueness

Uniqueness Score: -1.00%

Function 05380D17 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 05380D9D

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ffb872cd56bee083bc3bf91581517a0aa4c5f53b6ae27ca0af70e7b6096851a7
Instruction ID: 8438a885d32c1a1861fa4fbdb4f1aa0497ed18e774ad2389e7c8135f7eb19161
Opcode Fuzzy Hash: ffb872cd56bee083bc3bf91581517a0aa4c5f53b6ae27ca0af70e7b6096851a7
Instruction Fuzzy Hash: B821C3B55097806FE7128B55DC54BE2BFB8EF47314F0880DAE984CB693D264A90DC772

Uniqueness

Uniqueness Score: -1.00%

Function 05380431 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32 ref: 053804B3

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 742bfa947a98168519a99125eb9330ffb001fd0d9e34cd49c3795a4c662b24ae
Instruction ID: 569a1392f539c44d9eef2e48dffe56d4b600a38caaa7e55d69e64afeb2317478
Opcode Fuzzy Hash: 742bfa947a98168519a99125eb9330ffb001fd0d9e34cd49c3795a4c662b24ae
Instruction Fuzzy Hash: C621A1715497849FDB22CF25DC44B62BFF4EF46310F08849AE9858F663D275E818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05380EBA Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 05380F39

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e8598b834b44b61c0d00588fff6de5f6e60b93266c4501a9965d8cd9fee84012
Instruction ID: 0d593e900ee15cc481b8601d54ed469dc56b44b333357c306a798aeb5b5cf828
Opcode Fuzzy Hash: e8598b834b44b61c0d00588fff6de5f6e60b93266c4501a9965d8cd9fee84012
Instruction Fuzzy Hash: DA219F71509380AFDB22CF55DC44FA7BFB8EF45210F08849AE9849B652C365A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8AD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 00F8ADD4

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 19bab0ec1b68e83b996d9fa582910995e447faddcfa86aa067a9d213a946320b
Instruction ID: 8d8a84845c08c95c9c5f321025d26c4a3cdb87f295d3502e42a7f5ca0e08f71d
Opcode Fuzzy Hash: 19bab0ec1b68e83b996d9fa582910995e447faddcfa86aa067a9d213a946320b
Instruction Fuzzy Hash: 95218176A00604AFEB21DE15CC44FE6B7ECEF14720F08845AE945CB651D760E948DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BAB4 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00F8BB2C

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5cac0dca4dc8954c13c137cdbe8923ec79282d29d1dd4264fbf4449734782e62
Instruction ID: 97932b756c27a1b79fa9cd89dd85a56604e1d8a44850e08866f10885e66f2e59
Opcode Fuzzy Hash: 5cac0dca4dc8954c13c137cdbe8923ec79282d29d1dd4264fbf4449734782e62
Instruction Fuzzy Hash: 0C215E715093C05FDB128B25DC94792BFB8DF47324F0984DAED848F667D2649908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05380FBE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 05381030

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5561ab9c0ea0c95b91b93b577c84dd5bd4a95619322cc3936339cb48edca0856
Instruction ID: 9655e758714bf99fcf70b6eec24a24bb2b39d913ded128091c344d946e147578
Opcode Fuzzy Hash: 5561ab9c0ea0c95b91b93b577c84dd5bd4a95619322cc3936339cb48edca0856
Instruction Fuzzy Hash: 3111ACB2600740AFEB219E15DC40FA6BBACEF04614F08845AE9458AB52D364E549CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00F8B4A9

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 414bb9d1f2aaf9f59e81b5d09d804bb89e515614d7dc3b9875110c5fda0fcf97
Instruction ID: 22f27612d96b78ca58b73bb44c16d7682df164013395edc65a5db80dc69c9c33
Opcode Fuzzy Hash: 414bb9d1f2aaf9f59e81b5d09d804bb89e515614d7dc3b9875110c5fda0fcf97
Instruction Fuzzy Hash: 232181B15097805FDB22CE15DC45B62BFF8EF46724F08808AED848B693D365A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05381078 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 053810E3

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 57ce5314147483b5de6cce3fb2b20faf8aef379a453db6b703293966b4818090
Instruction ID: d05f0293e51c0af6d0046f56c1b278d3ab25d5fc78bf6cfafeb832aad3b2524e
Opcode Fuzzy Hash: 57ce5314147483b5de6cce3fb2b20faf8aef379a453db6b703293966b4818090
Instruction Fuzzy Hash: 572190716093C09FDB118B25DC55BA2BFA8EF46220F0884EAED85CB262D275A805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05380AA4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05380B0B

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ae2762f83339fef4ce06474b92345a0ee017e36836e058b756b536532b3ac7d4
Instruction ID: 7d3b2f6f510136c09f777aa553492522a59fb615893fb2fc0951d0e6b45b09d5
Opcode Fuzzy Hash: ae2762f83339fef4ce06474b92345a0ee017e36836e058b756b536532b3ac7d4
Instruction Fuzzy Hash: 751184716093809FDB15CF25DC89B66BFE8EF46220F0884AAED45CB252D274E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00F8BCBF

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: af5140bbd2cd3a3cdbce98ac518e16f8d263ac7621e84b9c45a754b11a610100
Instruction ID: 6f70f8ac23f84fbdc36aca0f4f43913de998730d5b1fb581b017e33222669d1f
Opcode Fuzzy Hash: af5140bbd2cd3a3cdbce98ac518e16f8d263ac7621e84b9c45a754b11a610100
Instruction Fuzzy Hash: 0F2193B19093809FDB11CF25DC45B52BFB4EF46324F0984DAED848F263D2749909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05381325 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05381399

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 033884bc8ebdcdaeff87edbcd860032a26064bbb9018b110beb380d6997dc3ba
Instruction ID: f958aa6aa260e05ebc7874af4e30fa9eeb2f5bc33225c21332de5d0441e506f3
Opcode Fuzzy Hash: 033884bc8ebdcdaeff87edbcd860032a26064bbb9018b110beb380d6997dc3ba
Instruction Fuzzy Hash: B3219D7150D7C09FDB238F25CC44A62BFB4EF07210F0984DAE9848F663D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05380007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05380082

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 82b25054fde39f44d76fbbb716cc6ab4a0e5f487679a203f6ad21813ac444c88
Instruction ID: 9b344578175ba7e1e2f47827e130fffeb2a5e02e450411057d06b689da19726d
Opcode Fuzzy Hash: 82b25054fde39f44d76fbbb716cc6ab4a0e5f487679a203f6ad21813ac444c88
Instruction Fuzzy Hash: BE11BFB1504340AFD3118B15DC45F72BBB8EF8AA20F15819AFC489BA42D274B959CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8A666

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf5dea8c21956875615f023268d0cfa3f69f504fe31626136e3631c7b5c6608a
Instruction ID: 1ae70120a3aac5db22b2e79eae64a11330804d097461de1b0883c6019deb136a
Opcode Fuzzy Hash: cf5dea8c21956875615f023268d0cfa3f69f504fe31626136e3631c7b5c6608a
Instruction Fuzzy Hash: 5E118471509780AFDB228F51DC44B62FFF4EF4A320F0888DAED858B562D275A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 053811E4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 05381240

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: cebf951b38fd7ee10dc3c1bfd7dd8328faeba8bec7304cbc9a23b9d89c071dd6
Instruction ID: d8a3b6fed35381d08e89e56586f4093054e4a0a2a84549d11d47d4154284c935
Opcode Fuzzy Hash: cebf951b38fd7ee10dc3c1bfd7dd8328faeba8bec7304cbc9a23b9d89c071dd6
Instruction Fuzzy Hash: F21160715093849FDB12CB25DC95B66BFB8EF46220F0884EAED45CB652D264E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05380EDA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 05380F39

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 553b5f4bf290eb93ea82f8a69b5ce29616eb6038ea016ef805d0c03b29291f23
Instruction ID: 835d27e2b546586de2458b93503215e91ec25dbb3ed13cc5726b0d59b6297aba
Opcode Fuzzy Hash: 553b5f4bf290eb93ea82f8a69b5ce29616eb6038ea016ef805d0c03b29291f23
Instruction Fuzzy Hash: 1E11BF72500700AFEB21DF55DC44FA6FBA8EF44724F08C45AEA498AA51C375A6488BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00F8BD75

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: a74830061a320eec219055ee62c0c7de43d29df23b7aa2563aac62edcd61e099
Instruction ID: c6f8e8dff10096fbf8341c9fc2d561ce46fb1baaa03afcfdea4eaa96d293d06d
Opcode Fuzzy Hash: a74830061a320eec219055ee62c0c7de43d29df23b7aa2563aac62edcd61e099
Instruction Fuzzy Hash: 1C11B672504780AFDB218F15DC45B62FFF8EF46724F08809EED458B662D261E818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 053816B7 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05381721

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f7e417827e4c1eb23fc19d627cdc954329dd824a4b75b6643cc3541dbd5a6dcd
Instruction ID: 0a3640f8004fb4e2eee2f8cdfdf1d9e5e76126bf1344242af2e082182519ac43
Opcode Fuzzy Hash: f7e417827e4c1eb23fc19d627cdc954329dd824a4b75b6643cc3541dbd5a6dcd
Instruction Fuzzy Hash: 9F11D0715097809FDB228F15DC45B62FFB4EF06324F08849EED858B6A3C275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05380462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32 ref: 053804B3

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ea8ea2aa6c5f43e8d371d5be9cd74c9da2a735ac4bb591730253b0f0186318a2
Instruction ID: aabf539058ddb933684762900a06492ba11caf70b2585e0caa9272152c4ee236
Opcode Fuzzy Hash: ea8ea2aa6c5f43e8d371d5be9cd74c9da2a735ac4bb591730253b0f0186318a2
Instruction Fuzzy Hash: E91148716047049FEB24DF15D888B66FBE8FF08620F0884AADD898B752D375E418CE62

Uniqueness

Uniqueness Score: -1.00%

Function 05380D4A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,F465DADD,00000000,00000000,00000000,00000000), ref: 05380D9D

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 00c89c0920c3d6ccdef2d9da91c36bdbe9058749b4bcd06d149550d7a3cf7b67
Instruction ID: 3e874ccbdba68a7c71875e419c9c91287543d378119bec115284cce4409595e4
Opcode Fuzzy Hash: 00c89c0920c3d6ccdef2d9da91c36bdbe9058749b4bcd06d149550d7a3cf7b67
Instruction Fuzzy Hash: 2701C475604300AEE720DB05DC89FB6B7ACDF45724F18C056ED449B741D374E54C8AB6

Uniqueness

Uniqueness Score: -1.00%

Function 05380AC6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05380B0B

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6f78eb96222a539eac8285ec573816e64a74a92b97a9aa56cf749e5b5ba7ec16
Instruction ID: 9db590202b7a42294e6ea1209f08bad8bb9f6cbf58c6fe01675ed669639c1de8
Opcode Fuzzy Hash: 6f78eb96222a539eac8285ec573816e64a74a92b97a9aa56cf749e5b5ba7ec16
Instruction Fuzzy Hash: 0F11A1716043408FEB18DF25D888B76FBE8EF05324F08C4AADD09CB641D274E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 053810A6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 053810E3

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6055c024ec586c0aea1c90990cac211e9059db6826d1ea9a0baa1b87257bf3f8
Instruction ID: 6ae6ddf4dca345900302edccec5d3c35b023aa3df6212b19f01a4fdd5e1d2bf8
Opcode Fuzzy Hash: 6055c024ec586c0aea1c90990cac211e9059db6826d1ea9a0baa1b87257bf3f8
Instruction Fuzzy Hash: 360180716043449FEB50DF25DC85B76FBE8EF05220F0884AADD49CB796D275E404CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE ref: 00F8A480

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 920767b2aa85daa13ec8be89bda93874e977af0a3fc16cbb67d29b48d4c28c64
Instruction ID: 89077ca321e8cb085176351fa6251d6481097f3ea1bf050cf92219e670f23d02
Opcode Fuzzy Hash: 920767b2aa85daa13ec8be89bda93874e977af0a3fc16cbb67d29b48d4c28c64
Instruction Fuzzy Hash: CA018475509384AFDB12CB15DC49B62FFB8EF46724F0880DAED854B262D275A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 05381206 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 05381240

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 523771a8a8c6828ea2ace73cf52b25965814f77485100404a200dcc74018dd54
Instruction ID: b67990233e71898a70e4f2b8ad1d91e0427609010acea908fe977d9dd548aba6
Opcode Fuzzy Hash: 523771a8a8c6828ea2ace73cf52b25965814f77485100404a200dcc74018dd54
Instruction Fuzzy Hash: 8F019E716043448FDB50DF25D885BB6FBE8EF45220F08C4AADD49CBA56D274E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00F8B4A9

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: a7ce852c2994a44dd53a70134a6e06659f233726a86ffac0b0ce842c29bb1075
Instruction ID: 164648f7ef0439b12e633708b87cfe29166d8c7b9e46036f4c26659079f11034
Opcode Fuzzy Hash: a7ce852c2994a44dd53a70134a6e06659f233726a86ffac0b0ce842c29bb1075
Instruction Fuzzy Hash: 23019272A006009FDB20DF15D846BA2FBE8EF14720F18C099DD498B752D375E808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00F8BD75

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: d0eb5e2c5b6727dddec069d8fa243f4161663c53922c5cbe501b0a8b4af821c3
Instruction ID: f9403d81173a0229c4c758bec69d5b40cd992c35a435e5c1b0fc398c8e2208d6
Opcode Fuzzy Hash: d0eb5e2c5b6727dddec069d8fa243f4161663c53922c5cbe501b0a8b4af821c3
Instruction Fuzzy Hash: 66019272A046409FDB609F15D845B96FBE4EF15720F08C05ADD458B762D371E818DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8A666

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3829af54f3b567395120c14ddf735e960304c67ce9b9dd908b04828d8325965d
Instruction ID: fecc6d14b10b4b0663c8b6a65a4d877f05ae1a4f04354e0e8738e315b77f4ea4
Opcode Fuzzy Hash: 3829af54f3b567395120c14ddf735e960304c67ce9b9dd908b04828d8325965d
Instruction Fuzzy Hash: 4A01C0329007009FEB21DF51D844B62FFE4EF08320F08C89ADE498A655D376E418EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00F8BCBF

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: d9cd09e384aafd253561a3ce1206f2273d0291e09c6c20285205b834d5257295
Instruction ID: 729dac26f98d1780be34e1607b199330bfc2002de3fae8558de2231cd586786e
Opcode Fuzzy Hash: d9cd09e384aafd253561a3ce1206f2273d0291e09c6c20285205b834d5257295
Instruction Fuzzy Hash: 4F01B171A042409FEB10EF15D8857A6FBE4EF15320F18C4AADD488B756D775E404DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05380032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05380082

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: ce2ed65ba856e7f03a751d5d2c61c45ffe41d5cec0a9e88e5b73a7cc582e878a
Instruction ID: 5547976e89522bb86449ea1d31143e88f299b49e978425fe384fb9c5d0233534
Opcode Fuzzy Hash: ce2ed65ba856e7f03a751d5d2c61c45ffe41d5cec0a9e88e5b73a7cc582e878a
Instruction Fuzzy Hash: AD01D671500600ABD310DF16CD46B66FBE8FB88B20F14811AED089BB41D731F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00F8BB2C

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71b5f8ca16f0b74e6304cacbbb536a58183429dc6bb77bd80d74162a70c5f3c5
Instruction ID: d3491db93b787f5c044b7e430db87c69ed45ac45524e49fc2ad682ffbb868d75
Opcode Fuzzy Hash: 71b5f8ca16f0b74e6304cacbbb536a58183429dc6bb77bd80d74162a70c5f3c5
Instruction Fuzzy Hash: 4201BC71A042408FDB10DF15D8847A2FBE8EF95320F08C4AADD088B35AD374E808DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00F8A346

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fe9b8b8f484cdf15f9f556f3adbef32cc3b12726adb22e21010b30e49073f17a
Instruction ID: a75b70da71716d782a5724b1a8ce109ebefa9722dffa050f6af747926b1dca36
Opcode Fuzzy Hash: fe9b8b8f484cdf15f9f556f3adbef32cc3b12726adb22e21010b30e49073f17a
Instruction Fuzzy Hash: 0301D671500600ABD310DF16CD46B66FBE8FB88B20F148159EC089BB41D731F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 053816E6 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05381721

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2a147393e647ca52889a024f314bbab569152c1a1fca1c1bebccafddc06da699
Instruction ID: f29ebd30dd25db37e4dcf3ca5e9a2795a778c6a093dcd9e99ddf228950439d9c
Opcode Fuzzy Hash: 2a147393e647ca52889a024f314bbab569152c1a1fca1c1bebccafddc06da699
Instruction Fuzzy Hash: 3301B135504B009FDB209F15D844B66FBE5EF15220F08C09EED458BA61C271E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0538135E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05381399

Memory Dump Source

Source File: 00000000.00000002.1699825219.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_G2Hseja2zK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d16f360f6371b93f2bdba81a1761ebf9492eade14877425eb7993267388e47f7
Instruction ID: 773b514e3e57a6f6b49d1b4cde5dce67dea530c43bb79f17e4004a38c51038bf
Opcode Fuzzy Hash: d16f360f6371b93f2bdba81a1761ebf9492eade14877425eb7993267388e47f7
Instruction Fuzzy Hash: C401B831A007009FDB20DF45D884B26FBE4EF19220F08C09ADE490AA62C2B1E418CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE ref: 00F8A480

Memory Dump Source

Source File: 00000000.00000002.1698782824.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8a000_G2Hseja2zK.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 774b12c500ea3900fd4c785d816e547d8e5246deacebe590445d4d3e42bbf7dd
Instruction ID: a96264ce6d2e9bf52a869447fd4d8229fb411537b6f8883e1501647e210e782a
Opcode Fuzzy Hash: 774b12c500ea3900fd4c785d816e547d8e5246deacebe590445d4d3e42bbf7dd
Instruction Fuzzy Hash: 55F0DC759042408FEB10DF05D8897A1FBA4EF15320F18C0AACD484B762E2B9E808DFA3

Uniqueness

Uniqueness Score: -1.00%

Function 014A9819 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

\Bl, xrefs: 014A9864

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID: \Bl
API String ID: 0-1179099282
Opcode ID: 97c21c3c7e795929741d02a418babeb2d53118b7fac6f827d6273ea14e470570
Instruction ID: a722d6d4386c9a812a250e5e6a777723bfe19d6400b27fddced0cee93839e7d4
Opcode Fuzzy Hash: 97c21c3c7e795929741d02a418babeb2d53118b7fac6f827d6273ea14e470570
Instruction Fuzzy Hash: 1BF0A431B403109BDB225629DC11BAD3691DBC9754F26016FE601DB3A0DA799C0793D5

Uniqueness

Uniqueness Score: -1.00%

Function 014AC7F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72394862d7b7b65625f0220ee2d224f04524d57e78f252e9d68d5b7714879d9
Instruction ID: 86ff65a75bad5a8afd92a5c1ca47f53236c48e535de2304cd7d79e892778cad5
Opcode Fuzzy Hash: b72394862d7b7b65625f0220ee2d224f04524d57e78f252e9d68d5b7714879d9
Instruction Fuzzy Hash: CE91C331B00216CFCB19DB79D9906AEBBA2EF89218F11413AC505AB7A1DF38DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014AC630 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f47d00982490d9fb268589f79fd6fa7a019b05a8c5ada846372e546ef7711ac
Instruction ID: 6dab1f880128460ce7523dbff4e24b3cddd39252aaaf0dc5b4ed31b988511401
Opcode Fuzzy Hash: 6f47d00982490d9fb268589f79fd6fa7a019b05a8c5ada846372e546ef7711ac
Instruction Fuzzy Hash: CE4125357001054BDB46CBA8C881BBEFBA2AB95304F59852AD6088F792D634EC4187E1

Uniqueness

Uniqueness Score: -1.00%

Function 014AC7E1 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37ebd51fb2d16b5950a60e17554c5aca58b64a5728d78519c0ad3de5196118
Instruction ID: 78ba90430aa33e57b5c683a4d8bcd2a831b1b93d7f16b0b1f131ef45f7ae91f3
Opcode Fuzzy Hash: 8a37ebd51fb2d16b5950a60e17554c5aca58b64a5728d78519c0ad3de5196118
Instruction Fuzzy Hash: 8431CD30A04247CFCB51DB6ADDC09BFBBB1FB98225B11412AD811973A5DB34ED84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D0734 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699452840.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b4ca86fa44622681b2949eacadf92b12fa381acc9d38b4550cccdbd5ac33d8
Instruction ID: a4539e4c795d79e6c597a518d5fddabe0c24c8096d4c6bd9ac541ac66bf431ee
Opcode Fuzzy Hash: 57b4ca86fa44622681b2949eacadf92b12fa381acc9d38b4550cccdbd5ac33d8
Instruction Fuzzy Hash: 3A214C3550D3C59FCB038B24C960B55BFB1AF47204F1986EBD4858F6A3C23A990ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 014D076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699452840.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ea2ce610cdde2fdb07cc02410aad25017f7951876468b4e9bc89eb2c6c07aa
Instruction ID: 99a409f0ce395e2dfcf945ebcd3f7df3d5073beeb32f9b9565270a3779ae7069
Opcode Fuzzy Hash: 76ea2ce610cdde2fdb07cc02410aad25017f7951876468b4e9bc89eb2c6c07aa
Instruction Fuzzy Hash: AF11E430604280DFDB11CB14D990B26BBE1EB89708F24C99EF5490BB62C737D803CA92

Uniqueness

Uniqueness Score: -1.00%

Function 014A0018 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb28debf81ffe55709252bb04182119f1544372e65dd0af97206f7b052d1096
Instruction ID: 174138957ff6a2d2fec4db3a8dd44025f2e8134275fc4050f80e9adcc683b417
Opcode Fuzzy Hash: 7cb28debf81ffe55709252bb04182119f1544372e65dd0af97206f7b052d1096
Instruction Fuzzy Hash: 3E01002118EBD25FCB57977009724A9BF719E5326430F86DBC085CE4A3DA1D4D8AC7A3

Uniqueness

Uniqueness Score: -1.00%

Function 014D05DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699452840.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d36a31b5e48aff26e5773c171a24cb1938942467d323c5d411c846dfeb91a99
Instruction ID: 791525f4a9de2925ec0770600a369cf5079dfb66946b16a9976f7ae068cf2420
Opcode Fuzzy Hash: 3d36a31b5e48aff26e5773c171a24cb1938942467d323c5d411c846dfeb91a99
Instruction Fuzzy Hash: 370186B650D7805FD7118B15AC44863FFA8EB86620709C4AFEC498B752D125A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014D0828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699452840.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction ID: bbc90f3d7c20e15b2e136330dca356d13309be6764acae8cfc15c495ea5f276e
Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction Fuzzy Hash: 60F01D35544644DFC716CB44D980B16FBA2EB89718F24CAADE9490B762C737E813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 014D0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699452840.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4227f7a6af4ac27c8635a3b1db4a3239aee736ced67706a9f204e7b708c7e953
Instruction ID: fa0905093aa844cec7e4ad5bf32eea7b6ae662a3bdb5a4eae8d7f5fca996ca20
Opcode Fuzzy Hash: 4227f7a6af4ac27c8635a3b1db4a3239aee736ced67706a9f204e7b708c7e953
Instruction Fuzzy Hash: D6E012B6604A445B9750DF0AEC45452F7D8EB84630718C47FDC0D8BB11D675F509CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 014A00A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321b9c3177de430524f5521b1a97ab7f22ad6c29de1b41cf88b8e51a42c2c192
Instruction ID: b39fe35d02508ff392ab2a13eb077129f1679addcb69ac888e629ea0842cc556
Opcode Fuzzy Hash: 321b9c3177de430524f5521b1a97ab7f22ad6c29de1b41cf88b8e51a42c2c192
Instruction Fuzzy Hash: 41D0A72264C06096CA0622F82D528FE6B594AC3610B05016BF006CB2B3CE8D0D0292D6

Uniqueness

Uniqueness Score: -1.00%

Function 014A0070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f580b5be50873b882cef1cb3a06d094ae609aa306845234f66091102b2ea6a7
Instruction ID: aa7f18d709d5f3935e4ab85f306ddc7280a1b6d77f26d0a5ca8d1d0574f406ec
Opcode Fuzzy Hash: 1f580b5be50873b882cef1cb3a06d094ae609aa306845234f66091102b2ea6a7
Instruction Fuzzy Hash: AFC01222301934430E5933B616260FE725A8F924A8707147BD21ACA382CF0B99821ADA

Uniqueness

Uniqueness Score: -1.00%

Function 00F823F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698763647.0000000000F82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f82000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b37689446cdb81eb53a216b770f4512e393145e24ded5694e014ffe7fe7f4f1
Instruction ID: a19382dbb97aeca298e9b524bbf45fdd38c4eb456cc099aae84b2da0476782dc
Opcode Fuzzy Hash: 0b37689446cdb81eb53a216b770f4512e393145e24ded5694e014ffe7fe7f4f1
Instruction Fuzzy Hash: E9D05E796056C14FD316EA1CC1A4BD537D8AB61724F4A44FAA8008B763C768E981E710

Uniqueness

Uniqueness Score: -1.00%

Function 00F823BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698763647.0000000000F82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f82000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5d56cd95dcad235f9a59414de735a2765aa64b12aad59d3b0927c504708c2d
Instruction ID: 32c92935dd3db97bdd901ffcb4f1cd04da48eace5c45d6a76689a54abd1bef00
Opcode Fuzzy Hash: 1d5d56cd95dcad235f9a59414de735a2765aa64b12aad59d3b0927c504708c2d
Instruction Fuzzy Hash: 23D05E346002814BC756EA0CC6E4F9937D8AB50B24F1A44E8BC108B762C7A8E9C1DB00

Uniqueness

Uniqueness Score: -1.00%

Function 014A00B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7332b3c50bca63790ee262aaac189450f0e321651e0869cdf21cb4cef763891b
Instruction ID: 913353239c09ff0b5d0939c01d820063db9ffc71acb6da6f64e20275e2bfc42e
Opcode Fuzzy Hash: 7332b3c50bca63790ee262aaac189450f0e321651e0869cdf21cb4cef763891b
Instruction Fuzzy Hash: 26C09B11708534931C1D315D3D514ED734D4986D65B41055BF509D7362CE4E1D4153DF

Uniqueness

Uniqueness Score: -1.00%

Function 014AC7C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699418686.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14a0000_G2Hseja2zK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb6faab36dc2fa3161155dc345aed0b7961d9f6ac049be9f08796d8d74fac30
Instruction ID: b70eaf6cc69f6f197f7d8a3fa02b3e1e2f1646d4595fe2c7091923c76f94e745
Opcode Fuzzy Hash: bbb6faab36dc2fa3161155dc345aed0b7961d9f6ac049be9f08796d8d74fac30
Instruction Fuzzy Hash: 0DC0125650D7858FC78295306C886C47FA19A5321178A80E688408B536D31D48494722

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chargeable.exePID: 7300, Parent PID: 5000COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	54
Total number of Limit Nodes:	3

Executed Functions

Function 04FC0DFA Relevance: 1.6, APIs: 1, Instructions: 69
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 04FC0E73

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 26c1923a1bcf9904a7b57c563f19b2a5852c5e41e868cbee90bd678948be0af2
Instruction ID: ef903133cee664fc61169520c0f91b7a3ae45bf77152a35661846584c9a73a2e
Opcode Fuzzy Hash: 26c1923a1bcf9904a7b57c563f19b2a5852c5e41e868cbee90bd678948be0af2
Instruction Fuzzy Hash: 0921B0B14493C09FDB12CF21D854BA1BFE0EF06224F1D84DEE9C48F153D266A54ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 04FC0F24

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b34d51c766ea99d4f4298679a7e6065bf4d56ec201b1e326e6a6f48e1b437b4d
Instruction ID: d3ba2d1880dc7610921f1355cf8580f09a1b854260b035b6a6fb5ea90305ada3
Opcode Fuzzy Hash: b34d51c766ea99d4f4298679a7e6065bf4d56ec201b1e326e6a6f48e1b437b4d
Instruction Fuzzy Hash: 83119D72409380AFDB228F51DC44BA2FFB4EF46220F0884DAED848F562D275A459DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 04FC0F24

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d31d2a2960f94f152dd3544fca91f314a6aae8921a98ddc85ab8b11d9abcc4c4
Instruction ID: 969bfa6d4c151fb4d18d5ff5a85828cebd6169895dabdafb4e52d3a26cdff46d
Opcode Fuzzy Hash: d31d2a2960f94f152dd3544fca91f314a6aae8921a98ddc85ab8b11d9abcc4c4
Instruction Fuzzy Hash: 29018C32900200DFDB208F95D944B66FBE4EF19220F08C4AEDD498B656D375E459DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04FC0E73

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0904b03cf849c5bab02b4b8da17529d74d36c84ba3e9b5b6af9983e956a27ccd
Instruction ID: 1222910c3d6ff8e106948a17b821a4f3e7eea93b88046e8547a0d9d199334ef0
Opcode Fuzzy Hash: 0904b03cf849c5bab02b4b8da17529d74d36c84ba3e9b5b6af9983e956a27ccd
Instruction Fuzzy Hash: 4401BC72A04200DFDB108F55D984B61FBA4EF08220F0884AADD488B656D279E409CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 011700D0 Relevance: 9.1, Instructions: 9148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f135a280f5e340355526dbf202b6a9c7815c6c1aba799c06a48c86d39bfc37e7
Instruction ID: 4a19afbf09772349678c506dc6c3dacd5cbd64cc23b50eb94b3691ac733ea14f
Opcode Fuzzy Hash: f135a280f5e340355526dbf202b6a9c7815c6c1aba799c06a48c86d39bfc37e7
Instruction Fuzzy Hash: 13142734600604DFD765DB30C998BE9B3B2EF89304F5188A9D55AAB360DF36AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 011700E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be46a600adde22e7f12365e54a9b0bc413df47d00404fb535e3ebfe277efd26b
Instruction ID: ee1d712c5283f1bf6075e10fc45ae72c3060982b6a3211aad5b9815b3aa254a8
Opcode Fuzzy Hash: be46a600adde22e7f12365e54a9b0bc413df47d00404fb535e3ebfe277efd26b
Instruction Fuzzy Hash: 51142734600604DFD765DB30C998BE9B3B2EF89304F5188A9D55AAB360DF36AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 011798A0 Relevance: 2.7, Instructions: 2697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78570dbaf31969ce0907f31fc80f68d6414635025e18b3b769815529327f5569
Instruction ID: 84c7f00b46031c78ed9ac3db05ef648eeae14eacb9e9f66d2f4068eeb2a8a5b7
Opcode Fuzzy Hash: 78570dbaf31969ce0907f31fc80f68d6414635025e18b3b769815529327f5569
Instruction Fuzzy Hash: CC33C534315520CB8906FB20D55479F7BBAAB88998316C356C90587B8CCF35FE6B8BC9

Uniqueness

Uniqueness Score: -1.00%

Function 01179828 Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Bl, xrefs: 01179864
\Bl, xrefs: 01179870

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID: \Bl$\Bl
API String ID: 0-2688229348
Opcode ID: 30bae6e488f0d13aba339ffb9689be9d08218cd01f5c5a3748d7d655cb952cc0
Instruction ID: d28fa5035131a646e09708a74c85dcc57acbef95b419f5b884c59d0d84989f80
Opcode Fuzzy Hash: 30bae6e488f0d13aba339ffb9689be9d08218cd01f5c5a3748d7d655cb952cc0
Instruction Fuzzy Hash: 5DF0F631B00214A7D725A2AD9811B6E32E687C9B64F26403AE601EB7D4DE61EC0643E6

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0CA1 Relevance: 1.6, APIs: 1, Instructions: 121
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 04FC0DA4

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: de27b4e32015a5dc94a9c8866392815aad1a13b9bc9058020c75f527c7c4ca5a
Instruction ID: 38ce0b6b036651dc8705e7c1ea0f01a7a8d1b4a158a39fa57c347dd75db2a87e
Opcode Fuzzy Hash: de27b4e32015a5dc94a9c8866392815aad1a13b9bc9058020c75f527c7c4ca5a
Instruction Fuzzy Hash: EB41B171504340AFEB22CB65CD41FE6BBFCEF05310F04489AF9898B592D665F949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0CDA Relevance: 1.6, APIs: 1, Instructions: 97
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 04FC0DA4

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 229b1116b5e5d91062593f77d81ecc3e082217b1aac16c6fa0e1e598e429b253
Instruction ID: 72a0a3f018a9144e13eb235ca4622e8cf62769b362950786ab9efe6458b14b31
Opcode Fuzzy Hash: 229b1116b5e5d91062593f77d81ecc3e082217b1aac16c6fa0e1e598e429b253
Instruction Fuzzy Hash: 91318E72600201AFEB21CFA5CD41FA6F7ECEB08710F04855AEA49CA690DB71F549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D2AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00D2ACD1

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9e0ef860c129d015252d10939c93cd48478527578e1bfebfbf21a64b8442a1f8
Instruction ID: c7ea9eb1d0f66b4ce959a9e0b8023542a7edc31b0c49ec14f02f51a0552a9fc8
Opcode Fuzzy Hash: 9e0ef860c129d015252d10939c93cd48478527578e1bfebfbf21a64b8442a1f8
Instruction Fuzzy Hash: 1E31C272504380AFE7228B15DC45FA7BFBCEF06314F08849BE9848B652D264E94DCB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,DCB6BF38,00000000,00000000,00000000,00000000), ref: 00D2ADD4

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7b1e04ed7db6a003b59f0765e76fdff0de96042a17cf2e6c0cafc4dc63f96b6b
Instruction ID: 446f9fca43b4bae3c61fd4c5090a1590d0779119eacd8965044149d1c8578c65
Opcode Fuzzy Hash: 7b1e04ed7db6a003b59f0765e76fdff0de96042a17cf2e6c0cafc4dc63f96b6b
Instruction Fuzzy Hash: 2631B3715093805FD722CB25DC44FA2BFF8EF06314F08849AE945CB592D364E949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2A2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00D2A346

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 458169b8996bd4c69f2d9e173b4202b061445f60a7ab9f2ee4d48fc8f6f72176
Instruction ID: dd9b01c442bad2587f90f4ce7875c02b3c693048f53b1baeb76b5037b632534d
Opcode Fuzzy Hash: 458169b8996bd4c69f2d9e173b4202b061445f60a7ab9f2ee4d48fc8f6f72176
Instruction Fuzzy Hash: 1421D77150D3C06FD3138B259C51B62BFB8EF87614F0A40CBE884CB693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2AC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00D2ACD1

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e0fc219733bad64028e7f2d0935e3444afb731070735fb71bf7c7553a7603b1f
Instruction ID: 2075586d270300e95294e77c849213641f971d3054844c2593f2e872ea6377f3
Opcode Fuzzy Hash: e0fc219733bad64028e7f2d0935e3444afb731070735fb71bf7c7553a7603b1f
Instruction Fuzzy Hash: 4221CF72500204AFE7209F55DD44FABFBECEF24324F08845AEA45CB651D324E94C8AB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0431 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 04FC04B3

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 6673a8e7aff3e20d9d19f1e31b4123424cb02934051b755998031deddf188c63
Instruction ID: 3e2cffdd3b5125d41fea306d80145a06c4e3ffc979341856d0dbf3dd24f6f953
Opcode Fuzzy Hash: 6673a8e7aff3e20d9d19f1e31b4123424cb02934051b755998031deddf188c63
Instruction Fuzzy Hash: 93218E715057809FDB22CF65DD44B66BFF8EF06210F08849AE9848F563D275E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D2AD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,DCB6BF38,00000000,00000000,00000000,00000000), ref: 00D2ADD4

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e25bfe0f7c6cc950bdfad8d40315bbcdfaf2601269f29b392cc81dff10aa7e9b
Instruction ID: a2df0c3427b20af6c639188a984b421da12e49b309ef568c1b0f2e96ab5c2814
Opcode Fuzzy Hash: e25bfe0f7c6cc950bdfad8d40315bbcdfaf2601269f29b392cc81dff10aa7e9b
Instruction Fuzzy Hash: 3821D575600610AFE720CF19DC40FA3F7ECEF24714F08845AE945CB651E360E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 00D2BB2C

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 78fa3b792575746b7bedac632dc34b1117b0cd43399b11c28e362e51c7e02bcb
Instruction ID: 7eda72247bdfcba8b73b5f96422851045c688d01d5bdf2632c50e0cc979db333
Opcode Fuzzy Hash: 78fa3b792575746b7bedac632dc34b1117b0cd43399b11c28e362e51c7e02bcb
Instruction Fuzzy Hash: 0D215E715093C05FDB128B25DC94792BFB8DF57324F0D84DAE9848F567D2649908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2B42D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00D2B4A9

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: c94a86b6268b7b6310fd0b89c7665215d236f79b7aa99cb7a2ca52d1c04d5695
Instruction ID: b7ea742798bcd0b9b24d6ca91a734ccec8db205a7eef1cebd7a5e2e102ec2f0d
Opcode Fuzzy Hash: c94a86b6268b7b6310fd0b89c7665215d236f79b7aa99cb7a2ca52d1c04d5695
Instruction Fuzzy Hash: 4E2196715097805FDB228E15DC85B62BFF8EF56724F08808AED84CB253D365E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00D2BCBF

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: eca9fe2608798716356126aebb7edd2b73c858deaf31dab5127dc26331d834dd
Instruction ID: 8be830792838f66aa75b42020a436c1630244fcf874c22e9c7a6d2c58dfd28b5
Opcode Fuzzy Hash: eca9fe2608798716356126aebb7edd2b73c858deaf31dab5127dc26331d834dd
Instruction Fuzzy Hash: 7D2193B15093809FDB11CF25DC45B52BFB4EF56324F0984DAE9848F163D2749909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FC107D

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 47fb5986c21313c42eac885866417f9decd7f261c83a57692dc1c9fdd9a66583
Instruction ID: 125f3f8b1480b9bc53a2dc2591d5547d357b40506b05ff937bb4853e3bc7d157
Opcode Fuzzy Hash: 47fb5986c21313c42eac885866417f9decd7f261c83a57692dc1c9fdd9a66583
Instruction Fuzzy Hash: FD21CD724093C09FDB138F21CC44A92BFB4EF07220F0884DAE9848F563D225A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0006 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 04FC0082

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 170e3ef2333a5f0109d59bb629f26b7b0d405793928ef3019c9e2c713ee29fb5
Instruction ID: 6342277d37b35170f28a571917a3944563fd0f0f9d629ab4cd169fe193301855
Opcode Fuzzy Hash: 170e3ef2333a5f0109d59bb629f26b7b0d405793928ef3019c9e2c713ee29fb5
Instruction Fuzzy Hash: 7A11E9715093806FC311CB25CC55F62FFB8EF86610F19819FE848CB693D225B519CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D2A666

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bf699f05785073d1ba33b0275f471586d549dedf1f4f1be88f0bf3b0560786e1
Instruction ID: 9bd4b10bdf6e7a2db4788279d803ff3ea50a3e757f895b443348bf1d5f3db951
Opcode Fuzzy Hash: bf699f05785073d1ba33b0275f471586d549dedf1f4f1be88f0bf3b0560786e1
Instruction Fuzzy Hash: 1C11B471409780AFDB228F54DC44B62FFF4EF4A310F0888DAED858B562D235A418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00D2BD75

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 6770e476b61926f53335a98265ea06e96c623ba5d4c324510120a2da464dc4af
Instruction ID: 17144e733105e162f75733b0aa29bccbbb1a79d01911e04e15eb38d79c7d3537
Opcode Fuzzy Hash: 6770e476b61926f53335a98265ea06e96c623ba5d4c324510120a2da464dc4af
Instruction Fuzzy Hash: 3711C472505380AFDB218F15DC45BA2FFF8EF56724F08809EED858B662D261E818CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FC139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FC1405

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e46cf907e19fcdfd13d53ad8fe7024d1d3dd2d26270fb4415346d63ca9078e67
Instruction ID: 74199083e0ba9836c77f6b1c6370aaaf8d4228fa3e6eee83a1978cf4bb2a2548
Opcode Fuzzy Hash: e46cf907e19fcdfd13d53ad8fe7024d1d3dd2d26270fb4415346d63ca9078e67
Instruction Fuzzy Hash: 2911E2715493809FDB228F11DC45B52FFB4EF46324F0884DEED458B663C275A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 04FC04B3

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d73d9b74f20a5100de528d2da014d78d34a8ff0bcc5f4345cac6583b94130106
Instruction ID: eeff21bf0b01dfa4e16c9fda84eafe25cd690ea80ca51ff126bb000a7a7f8ff7
Opcode Fuzzy Hash: d73d9b74f20a5100de528d2da014d78d34a8ff0bcc5f4345cac6583b94130106
Instruction Fuzzy Hash: 72117072A00204DFDB20CF55D944B67FBE8EF04720F08846ADD458B652E775E40ADF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D2A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D2A480

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c77e24c8d60cb1acd8f40c6b45462aff377ef261a8b1c0f123b545aa697e520f
Instruction ID: 26f593767dec76b03a0da1cfb579bdf0f4f0a15e1afe063cd9955aec8eabc2d4
Opcode Fuzzy Hash: c77e24c8d60cb1acd8f40c6b45462aff377ef261a8b1c0f123b545aa697e520f
Instruction Fuzzy Hash: A101C471409380AFDB128F15DC44B62FFB8EF56324F0880DAED844B253D275A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00D2B4A9

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 86b5b9ef08e85a7fb2959556c240f690d1c5bc83cd7fe783ac1cad56513062f3
Instruction ID: 6cce3a1dbbdb71cf4995d7c0822a1622ab8332322e1c851f893c08c3f1910aec
Opcode Fuzzy Hash: 86b5b9ef08e85a7fb2959556c240f690d1c5bc83cd7fe783ac1cad56513062f3
Instruction Fuzzy Hash: CC0180716006009FDB20DE15E885B62FBE8EF24738F08809ADD498B752D3B5E809CF72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00D2BD75

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 76bc9d299b68d794a615eb0bb5e3cfef7eb5dc8e758bb994d5c759a425e40985
Instruction ID: 7b81992991075ba8455b391bda9ae533233038ff0b9ab8c3fc3ece98797dcc47
Opcode Fuzzy Hash: 76bc9d299b68d794a615eb0bb5e3cfef7eb5dc8e758bb994d5c759a425e40985
Instruction Fuzzy Hash: 620180726006009FDB608F15E845B96FBE4EF25724F08809ADD468B661D3B5E818DE72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D2A666

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 61323e5330b6cbef646984f01bfef0f340afbbf29acb883d28a23b0bc07b1cd5
Instruction ID: e1ecd487278bea8c2009c635b2e80e26196fec971e1e66f489c4d404f0255f41
Opcode Fuzzy Hash: 61323e5330b6cbef646984f01bfef0f340afbbf29acb883d28a23b0bc07b1cd5
Instruction Fuzzy Hash: C201C032904A009FDB218F55D844B62FFF4EF28725F08C89ADE898A651D336E418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00D2BCBF

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 69770eaf5adc73cfa100a46022392e6229d2186e2e325256b10e88462248c560
Instruction ID: a75a920784adb2df06a8c2480f9ba81402c42852d92077085195b25a7b8e07fc
Opcode Fuzzy Hash: 69770eaf5adc73cfa100a46022392e6229d2186e2e325256b10e88462248c560
Instruction Fuzzy Hash: 44019E71A002009FEB10DF25E885766FBE8EF24324F0884AADD488B652D7B5E404DEB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 00D2BB2C

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 55563833e1b2c94117b741b7aa786afcb5ff36989f5250e164c6cc30fcb25038
Instruction ID: ebec27faf52082364cd4f95f5421e268f7908fc98ca22d5b4d867df428478e2a
Opcode Fuzzy Hash: 55563833e1b2c94117b741b7aa786afcb5ff36989f5250e164c6cc30fcb25038
Instruction Fuzzy Hash: BD019E71A002408FDB10CF15E884762FBE8EB25324F0884AADD488B65AD3B4E804CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00D2A346

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 49f287dea2c894ad23c16c8887b0b5f8edb530db5d9d9f534368faaf898690aa
Instruction ID: dc1acc92cfe2aec9eb5dcacb3489dcb3ed4af2ec0bae7acf280d870a9fd05f35
Opcode Fuzzy Hash: 49f287dea2c894ad23c16c8887b0b5f8edb530db5d9d9f534368faaf898690aa
Instruction Fuzzy Hash: 8A01A271900200ABD210DF16CD46B66FBE8FB88A20F14815AEC089BB41D735F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 04FC0082

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 8a14391ea2519236faf2f4e7783c7b61c0516269a0f30342d651464a0b37e93c
Instruction ID: d233ccda6d7fc111e78a93832c5b3297b1498c57839f7f9bcdf6d049cc701955
Opcode Fuzzy Hash: 8a14391ea2519236faf2f4e7783c7b61c0516269a0f30342d651464a0b37e93c
Instruction Fuzzy Hash: D201A271900200ABD210DF16CD46B66FBE8FB88A20F14811AED089BB41D731F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FC13CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FC1405

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b247f2726db5815e3ad0160784231ca8f8148fb46a0cacdc7c6686588e31c776
Instruction ID: 714217ef815f54a57a3bf6adfb645af06dd5fb639d27382bfed1b9c2ca3ed7e9
Opcode Fuzzy Hash: b247f2726db5815e3ad0160784231ca8f8148fb46a0cacdc7c6686588e31c776
Instruction Fuzzy Hash: 7701D432A00600DFDB208F15D944B66FBE4EF15220F08C09EDD458B762D375E468DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FC107D

Memory Dump Source

Source File: 00000002.00000002.1734431057.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f2e032165550e508eca63836e8f8ac5751d2c9d2bc508a71998b5253a3241348
Instruction ID: 6adc97da08a476fbe27530477e8b8acf910de6c28655642b72837a682786981b
Opcode Fuzzy Hash: f2e032165550e508eca63836e8f8ac5751d2c9d2bc508a71998b5253a3241348
Instruction Fuzzy Hash: 66018F36944640DFDB208F05DA44B61FBE4EF15220F08C09EDD454B662D375E429DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D2A480

Memory Dump Source

Source File: 00000002.00000002.1732780743.0000000000D2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d2a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e2a0385e9593a102892abcde36b478e5900d31db7e1b281ed6f8df9211569a1d
Instruction ID: 22a3ce5698e3a722b4d728f5b8b84364e4db150eb350c5c84d233efc65cb44c6
Opcode Fuzzy Hash: e2a0385e9593a102892abcde36b478e5900d31db7e1b281ed6f8df9211569a1d
Instruction Fuzzy Hash: 5DF08C759042409FDB109F09E889761FBA4EF25728F08C0AADD494B752D2B9E809CEA3

Uniqueness

Uniqueness Score: -1.00%

Function 01179819 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

\Bl, xrefs: 01179864

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID: \Bl
API String ID: 0-1179099282
Opcode ID: aaaff1d92ab0d9a2da5205f96896184c931e4c3f9a3e2fe6797853ebb702ee00
Instruction ID: 604b73c9036d427b8e298235b80fdf66ecfc29f1ce990b79ca8611c1fd40d7e5
Opcode Fuzzy Hash: aaaff1d92ab0d9a2da5205f96896184c931e4c3f9a3e2fe6797853ebb702ee00
Instruction Fuzzy Hash: 480149317053549BC72253785C11B6E3BA58BC6B24F26006BE100DF3D2DA62AC0A83E9

Uniqueness

Uniqueness Score: -1.00%

Function 0117CDBD Relevance: 1.3, Instructions: 1285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e20d7aee599c2c7458a4c6877fb08000610e938d3cc40c699200941cb8a3aac
Instruction ID: 143df0449d9bc9f42cf3c4abf17b185a6907d5f45b6164bce7f23738a1fce9c9
Opcode Fuzzy Hash: 9e20d7aee599c2c7458a4c6877fb08000610e938d3cc40c699200941cb8a3aac
Instruction Fuzzy Hash: D1B15F75E012099FDB09DFA8D881BADFBF2EF88314F158169E515AB392DB319C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0117C7F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd06a87671c63154deaeecbd029ef31c7948be91126e6726f85b547df5e6a27f
Instruction ID: 64a23de4a8c20fd1350765caeb7189f2d3d9e89d1226dce3d82a86830f02429f
Opcode Fuzzy Hash: bd06a87671c63154deaeecbd029ef31c7948be91126e6726f85b547df5e6a27f
Instruction Fuzzy Hash: 6F91D031B05212CFCB19EB78C854AAEB7B2AF89218F11406AC505EB795DF389D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0117C630 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004462a7f00f9b4b79fabd09799368014b8885f75ae9b658fc9d98c1178731e2
Instruction ID: bbb7052b1a56d52f435312ce310f89470d5652944dc252f84df8eccd948d7277
Opcode Fuzzy Hash: 004462a7f00f9b4b79fabd09799368014b8885f75ae9b658fc9d98c1178731e2
Instruction Fuzzy Hash: BA4128317002155BDB0ACB69C881BBEFBB2ABC5304F198569E504CF786DB30EC4587E1

Uniqueness

Uniqueness Score: -1.00%

Function 0117C7E1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45016ca706f2207c0dc9ebb774cea84a66971965618599b0200a3ceaf9c5b0d9
Instruction ID: b8933468f9a53360bc8c549e13a1c559ff998a57df03bd0930e1b835cda627ab
Opcode Fuzzy Hash: 45016ca706f2207c0dc9ebb774cea84a66971965618599b0200a3ceaf9c5b0d9
Instruction Fuzzy Hash: 6C310334A06242CFCB1ADB78D944AAEBBB1BF49214B15416AC801D7395DB34ED44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0117CB00 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be1b6593de1bc3e0cc3fcfc64aadda99270a8f2dea5ff9de746962aa756b62c
Instruction ID: faf08898d3e014452fb0d8f0394847d688b029015adbd0bb4617d8b0ae842ea0
Opcode Fuzzy Hash: 3be1b6593de1bc3e0cc3fcfc64aadda99270a8f2dea5ff9de746962aa756b62c
Instruction Fuzzy Hash: 9031A130B042468BDB299B39885477E7EF29B89251F18406EE802EB791DB708C45ABD2

Uniqueness

Uniqueness Score: -1.00%

Function 0117CC9F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6789809094a2bf52215c1e2f2410d809fe9d6d036b2f8359fce35d3e1bd3d749
Instruction ID: bf45ff58061e2cd0e5c80af6421ead9835942699bd1e22af835ca004fee68967
Opcode Fuzzy Hash: 6789809094a2bf52215c1e2f2410d809fe9d6d036b2f8359fce35d3e1bd3d749
Instruction Fuzzy Hash: 4121B071E0022A9FCB15DFB48851AEEBBBAEF89214F154469DA05BB340DB355805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01170006 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712cbbe7cf24b16269426a133f57ecc7639e5f8ad6ba78e0649ad498d04ffddc
Instruction ID: 952d6a2ad6c7cbfdba2efe0c66adf3ff61c287e229b840c710c5c73bbec39e2e
Opcode Fuzzy Hash: 712cbbe7cf24b16269426a133f57ecc7639e5f8ad6ba78e0649ad498d04ffddc
Instruction Fuzzy Hash: CF11986118E7D28FC7971BB04C650987FB09E1322035B01EBD0C5CA5A3DA5D5D9AC7B7

Uniqueness

Uniqueness Score: -1.00%

Function 00BE076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732555688.0000000000BE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844bc29b1cb7c5914e558627ad2b47527fe8ab68517225c16010849236723a2f
Instruction ID: 3fe0b9f8c26fa35b65a13ee86ed1ea1cb5bc220e79934221c37478faf487a407
Opcode Fuzzy Hash: 844bc29b1cb7c5914e558627ad2b47527fe8ab68517225c16010849236723a2f
Instruction Fuzzy Hash: B711D2302142C0DFC711DB11D980B26BBE1EB99708F28C9DCE5490BA52C7B7EC43CA82

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0734 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732555688.0000000000BE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fba18350de2e6acd87556c4e08796c48eed27f5ac7eef97d374c04b0455b7b
Instruction ID: 51d0961b2acfc6f32a4d9bb1773068753b6ab75394ccc933a5e685ab7dc29fc6
Opcode Fuzzy Hash: 90fba18350de2e6acd87556c4e08796c48eed27f5ac7eef97d374c04b0455b7b
Instruction Fuzzy Hash: 7E213B3554D3C08FC7038B20D990B51BFB1AB57308F2985EAD8889B6A3C77A9C06DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BE05E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732555688.0000000000BE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1483529a20afd726223b0cd2f4f2bff23b271ee0a63c3d770ae35c8bce207f
Instruction ID: 147dc6f592d12d3fb6ee12c0013d4ea7587e79805119ee9e66e1acecfa84eb54
Opcode Fuzzy Hash: de1483529a20afd726223b0cd2f4f2bff23b271ee0a63c3d770ae35c8bce207f
Instruction Fuzzy Hash: E5F0D6B65497806FC7018F06AC44862FFE8EA96620709C49FEC498B612D225F808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117C77F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b003b056ec9c9d7064d995992d1d4d7a51c7e37c26ba8764f06c1eb087c4227
Instruction ID: ecb4902aaf1418a78a8388205cac2cf8c463330d873d5b4103fa7297703bce6e
Opcode Fuzzy Hash: 9b003b056ec9c9d7064d995992d1d4d7a51c7e37c26ba8764f06c1eb087c4227
Instruction Fuzzy Hash: 72F05C7520E2818FC705E730A9849DDBF516FD5309B14459FD2808B656DF214858C3A3

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732555688.0000000000BE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction ID: b353315c5bdcda35e589d4aec68d2bc0dddd21b7776541b382e40d9baf20eae1
Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction Fuzzy Hash: 74F01D35148684DFC306DB40D980B15FBE2EB89718F24CAADE94907752C777E813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732555688.0000000000BE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c6a9a7fcd9ceea504b4e30a53e56a69460f1c848abb88bd9266eca5072d836
Instruction ID: 38770025ab0581fa862f3ca6b18ba56e4c0f9df8833d857dc2458186d1b8a30b
Opcode Fuzzy Hash: c5c6a9a7fcd9ceea504b4e30a53e56a69460f1c848abb88bd9266eca5072d836
Instruction Fuzzy Hash: 38E092B66446004B9750CF0AEC41452F7E8EB94630708C07FDC0D8BB11E239F508CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 011700A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de6a3cbf1bfb11083d5d763b814e8763e49a28cb48bf919f82f9aea4092f1e7
Instruction ID: b92939a77c581b8e5f8f2b437466b151f20968938ad95d2b0b4911ab25ffd08c
Opcode Fuzzy Hash: 1de6a3cbf1bfb11083d5d763b814e8763e49a28cb48bf919f82f9aea4092f1e7
Instruction Fuzzy Hash: EAD0223334A228A3898E31A82C124EE778DCBC7A217050067F1058B383CE891D0242FE

Uniqueness

Uniqueness Score: -1.00%

Function 01170070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d9ddbd49e7bfa86af92991f49784aa0ee90555e076dcc12c8f216ba3498a25
Instruction ID: 09b7f91154cc4ca13d730eaeddc350cd03aa4ab834b0d353ad5ea942236474c9
Opcode Fuzzy Hash: 73d9ddbd49e7bfa86af92991f49784aa0ee90555e076dcc12c8f216ba3498a25
Instruction Fuzzy Hash: 42C01222301534530A49327511260FE625A8F52498307147BD11B8A342CF0B994206EE

Uniqueness

Uniqueness Score: -1.00%

Function 00D223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732726244.0000000000D22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d22000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831703d3d868f2779b8b6392ffe1c4502c01672078ea1f7218a1261c9c8204da
Instruction ID: 04bfa467113ca1dc9b1913f667534d64dfeb4fd29207460c4f9a91faea69494e
Opcode Fuzzy Hash: 831703d3d868f2779b8b6392ffe1c4502c01672078ea1f7218a1261c9c8204da
Instruction Fuzzy Hash: EED02E792006D04FD312AA0CD1A5BA537D8ABB0708F0A00FAAC008B763C768D882C620

Uniqueness

Uniqueness Score: -1.00%

Function 00D223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732726244.0000000000D22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d22000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e9fbceacd224f3828cebea7af07638edde60bfdae214fe3e44a94ddd8733e
Instruction ID: 87e2c336a2f7d63831f7973c19ddb10e4bee434d0edaa3e07b59705a93740207
Opcode Fuzzy Hash: 171e9fbceacd224f3828cebea7af07638edde60bfdae214fe3e44a94ddd8733e
Instruction Fuzzy Hash: 2DD05E342002814BC719DA0CD6D4F6937D8AF60B18F1A44ECBC208B762C7A9D8C1CA10

Uniqueness

Uniqueness Score: -1.00%

Function 011700B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d329c196f022cf4f19c59757b7d18ca8d33ad5b92b6149d707247168a5a19e05
Instruction ID: 4dd4ecb15d6d83a10de0de0e27cfa859d3e8c20b28dc20193d6f31c086bceafc
Opcode Fuzzy Hash: d329c196f022cf4f19c59757b7d18ca8d33ad5b92b6149d707247168a5a19e05
Instruction Fuzzy Hash: E3C09B1131A534930C5D315D35524ED734DC986D65745145BF50957352CE451D4143FF

Uniqueness

Uniqueness Score: -1.00%

Function 0117C7C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1733872691.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1170000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64a683d1a8019afd8a74c57c64c96ef52ce73678eee6e5d5c5731b33927421a
Instruction ID: 98f8407d54e8557db2cf2fdb282bbf28d5f98d39224e90e221f5189c770eba1b
Opcode Fuzzy Hash: c64a683d1a8019afd8a74c57c64c96ef52ce73678eee6e5d5c5731b33927421a
Instruction Fuzzy Hash: ECC0486AA0B2C08FC70382351E582C52F329B5321538D80DA9581CA262E04C480E8766

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chargeable.exePID: 7340, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	139
Total number of Limit Nodes:	6

Executed Functions

Function 04F228DB Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04F2295B

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5ee40e9a97e184e7236ba08924bdd23d4f53ccb9eb89a6dad1ce08d2a699a4cd
Instruction ID: 1c5bef736cdfe819af24603d9d0a35babd9c6ba0fed91855c9dacae1c9e258ea
Opcode Fuzzy Hash: 5ee40e9a97e184e7236ba08924bdd23d4f53ccb9eb89a6dad1ce08d2a699a4cd
Instruction Fuzzy Hash: EF21D1755097C09FDB128F25DC44B92BFF4EF06310F0984DAE9858B563D231E918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F22DBB Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04F22E31

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: feda5ce54267e1107c3257300ab280b564ceda33540b6cfd2a5ddec6256923b8
Instruction ID: f076edf795494f49b8974424697d0f7c68e92604497fea64bb14934f73726f96
Opcode Fuzzy Hash: feda5ce54267e1107c3257300ab280b564ceda33540b6cfd2a5ddec6256923b8
Instruction Fuzzy Hash: 2321C0B14097C09FDB238F21DD45A52FFB0EF07314F0984CBE9844B1A3D265A919DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F22912 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04F2295B

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 844cd970dbafb7b1d1400d360518658196ae4c1ded6c863e50329d3b520ad81d
Instruction ID: 1d39f595780523f897c37fd10e88fc041f0f7d994934a399b9a90a8fb78bc6a7
Opcode Fuzzy Hash: 844cd970dbafb7b1d1400d360518658196ae4c1ded6c863e50329d3b520ad81d
Instruction Fuzzy Hash: 5E117072A006509FDB20CF55D984BA6FBE4EF09320F08C4AAED458B652D335E418EF72

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00F7A1C1

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: e5bf7e798bd4a504495b0aa5b6a0e02805263c676ebbde0baa89c3009262bfa2
Instruction ID: 15438d03cede543c085165b2678712ea2442f7d5e530d756452ceca89cea85f8
Opcode Fuzzy Hash: e5bf7e798bd4a504495b0aa5b6a0e02805263c676ebbde0baa89c3009262bfa2
Instruction Fuzzy Hash: 95019E729052409FEB20CF55D844B66FBE4EF59320F08C4AADD498B612C2B5E458DFA3

Uniqueness

Uniqueness Score: -1.00%

Function 04F22DF6 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04F22E31

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2895a1fe5e54b56308335dc39cadd566d66125245296b5d370d6e623b7ef3ac5
Instruction ID: 9c949be3f91be798b71ffe7fd9402cc7b00d46c275127ded956d53d3cc5fa364
Opcode Fuzzy Hash: 2895a1fe5e54b56308335dc39cadd566d66125245296b5d370d6e623b7ef3ac5
Instruction Fuzzy Hash: FF018F72900640DFDB608F15D944B65FBE0EF19720F08C49ADD490B652D375E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 04F2063F Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad9f5ce483939e11f51485d902d3f7e83e7867cf55f3f368869d98530db5641
Instruction ID: 24514745bb8a62a82d397f9afbfb8a371b748e4b914966cf5f7a7642e0f59e8a
Opcode Fuzzy Hash: aad9f5ce483939e11f51485d902d3f7e83e7867cf55f3f368869d98530db5641
Instruction Fuzzy Hash: 9441DE724093C05FE7238B258C55B96BFB4EF07224F0949DBE9848B2A3D265A90DC772

Uniqueness

Uniqueness Score: -1.00%

Function 011C0B68 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 011C0B8F

Memory Dump Source

Source File: 00000003.00000002.4068896029.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_chargeable.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 185a2f359405705cda7130282129c21ce216b83f711ab875074edee4c91fe1fb
Instruction ID: 19c1b41021ad415a8fc62de941ceca24eb28520f772f224801ad2d6c0e7523c9
Opcode Fuzzy Hash: 185a2f359405705cda7130282129c21ce216b83f711ab875074edee4c91fe1fb
Instruction Fuzzy Hash: 35416235A00204CFCB08DF78C9846ADB7F2EF98704B188469E909DB35ADB35DD85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 011C0B58 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 011C0B8F

Memory Dump Source

Source File: 00000003.00000002.4068896029.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_chargeable.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 86c889ded319dff7296b482dadaa3ed4a57dfee84527dd7d6a21a2b0a3060773
Instruction ID: 204d3fc07c40952cdf204847427176e40eef0a509faa4c9203e48d3a86dd3e83
Opcode Fuzzy Hash: 86c889ded319dff7296b482dadaa3ed4a57dfee84527dd7d6a21a2b0a3060773
Instruction Fuzzy Hash: 16415235A00205CFCB08DF78C9856ADB7F2AF98704B18846DE805DB35ADB35DD86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B8CA Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F7B989

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5da234b3278c74fc12ce13b5a5d5d402ce28e149fbc21d6f4af65079ddabf0af
Instruction ID: 8fb700d6221d54bb0c528b13225b194c83878fe88337db3ef14dbcaefe2877f2
Opcode Fuzzy Hash: 5da234b3278c74fc12ce13b5a5d5d402ce28e149fbc21d6f4af65079ddabf0af
Instruction Fuzzy Hash: AB31A2B1504380AFE712CB65CC44BA2BFF8EF06314F08849AE9898B652D325A809D771

Uniqueness

Uniqueness Score: -1.00%

Function 04F22136 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04F221FD

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f1978ee15d49293ec1d9235620dc4851b0b0f9af5e25a6b610862b1d4947272a
Instruction ID: 0641ee27558be96df49bafd0f06172016151b6725206e43f509968aa2f2da4bd
Opcode Fuzzy Hash: f1978ee15d49293ec1d9235620dc4851b0b0f9af5e25a6b610862b1d4947272a
Instruction Fuzzy Hash: 28318F72504344AFE7228F65CD84FA7BBFCEF05210F08459AE985DB652D324E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BE37 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00F7BEFE

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb37964d1219ccbdf91fdc9397a661c1b4f01a5977aa518ab3bc560a7879987e
Instruction ID: 098d3385eb92b40bf188645c085ce62903868f423c5964e7443344da031aaf26
Opcode Fuzzy Hash: fb37964d1219ccbdf91fdc9397a661c1b4f01a5977aa518ab3bc560a7879987e
Instruction Fuzzy Hash: 67316F6550E3C0AFD3138B358C61A61BFB4EF47610B0E85CBD8848B6A3D2196919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00F7A879

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fe280130b6bfeff9f269a5b1f8fa156c2ea4cf835be1ecce57fa16cdae18237d
Instruction ID: 00c1e99a70b0e9702d153c1a9676c6a5d41a0302d596cfd545cf5066ab6ce2de
Opcode Fuzzy Hash: fe280130b6bfeff9f269a5b1f8fa156c2ea4cf835be1ecce57fa16cdae18237d
Instruction Fuzzy Hash: B931B5B15083806FE7228B51CC44FA7BFB8EF06310F08849BE984CB653D264A94DC772

Uniqueness

Uniqueness Score: -1.00%

Function 04F20D54 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04F20E1B

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 488309cdb0ff9e49c992c6dde9b421f3eb1cb64838148343040175504feaf124
Instruction ID: 3b7fc2c4ad759cdde8172400755d0684959c9e588d1db7db8edd01220f9b985a
Opcode Fuzzy Hash: 488309cdb0ff9e49c992c6dde9b421f3eb1cb64838148343040175504feaf124
Instruction Fuzzy Hash: 9D31AFB2500340AFE721CF51DD84FA6BBACEB04314F04489AFA499B282D775A9498B71

Uniqueness

Uniqueness Score: -1.00%

Function 04F20C4C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F20CE9

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8591df9887d8a07404ba6af3fcc88348062fa1de29fd8f1ab7cf70b0f10793e1
Instruction ID: d6eec1153db62f92154e015d7eb01f1b9ada419735fca9b8d128955afedabed9
Opcode Fuzzy Hash: 8591df9887d8a07404ba6af3fcc88348062fa1de29fd8f1ab7cf70b0f10793e1
Instruction Fuzzy Hash: B73105B25097806FD7228F25DD44BA6BFB8EF06320F0884DAE984CF193D325A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00F7A6B9

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8234c07ab5788529bdf09f96115a0c9129083f280c459f0974d463d544ee1b93
Instruction ID: 7fca8e1c2919badc0b511526adcd3f76b9c5dd653a68dd0083ee33694799e24a
Opcode Fuzzy Hash: 8234c07ab5788529bdf09f96115a0c9129083f280c459f0974d463d544ee1b93
Instruction Fuzzy Hash: BE3181B15093805FE712CB65CD85B96BFF8EF46310F09849AE988CB292D375E909C772

Uniqueness

Uniqueness Score: -1.00%

Function 04F20548 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04F205DF

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 74bcc1abf4d0d88c17aae1133755d8b960210c743b2e5e6f43aa17637a7641a9
Instruction ID: aeb8b2aa70e76bb5d84fa0a2578ea9147a23be45e33a848863e5214e6ad1a826
Opcode Fuzzy Hash: 74bcc1abf4d0d88c17aae1133755d8b960210c743b2e5e6f43aa17637a7641a9
Instruction Fuzzy Hash: 8E31DF72505380AFE7218F65DD45FA7BFB8EF05210F0884AAF984DB252D324A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A8C1 Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00F7A97D

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: a111f1b09cc5b6c957bafd471910fc6713e53e8568400b975efed3a38b815abd
Instruction ID: 5344cb0c8e3d3f644688ff30c389c12af359222df4d87f0f8b5783e9b9b12c89
Opcode Fuzzy Hash: a111f1b09cc5b6c957bafd471910fc6713e53e8568400b975efed3a38b815abd
Instruction Fuzzy Hash: BB31F671505380AFEB228F61CC45FA6BFB8EF46310F08849AE9858B553D275A54CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F22162 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04F221FD

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: abc60018b09b132fec2d34b479a68a4924f1ccb7ad787eeb1807626fab7a95ec
Instruction ID: 8078a6ee8d936d48c80bc5caf6e11a61e857ac50d61989c30ec27075c853bb9c
Opcode Fuzzy Hash: abc60018b09b132fec2d34b479a68a4924f1ccb7ad787eeb1807626fab7a95ec
Instruction Fuzzy Hash: BC21B172600304AFEB21CF55CD40FA7BBECEF08714F08899AE945D7651E720F5498A71

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7A40C

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bef3c46f579b932df95630638bf2d7df09efedc4c671e6a82560a94690ba083f
Instruction ID: dec6dadbc914ecb0fdec97cb03dbfe2690767e44a7229d68baddba68520c9048
Opcode Fuzzy Hash: bef3c46f579b932df95630638bf2d7df09efedc4c671e6a82560a94690ba083f
Instruction Fuzzy Hash: C331B4715057409FD721CF15CC84F96BBF8EF46310F08849AE949CB252D325E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04F20D76 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04F20E1B

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 671c2126c996e18121c4c00337e18a6e5ecba764c0174d6961604ca8c0ae1115
Instruction ID: 55ea312e7d6e691ddf80e01ae5d96b4a10cb9818ecda4fec97d326b35bae5b23
Opcode Fuzzy Hash: 671c2126c996e18121c4c00337e18a6e5ecba764c0174d6961604ca8c0ae1115
Instruction Fuzzy Hash: DA21D172600204AEEB30DF51CD85FBAFBACEF04714F04485AFA499B681D775A58D8B72

Uniqueness

Uniqueness Score: -1.00%

Function 04F210C8 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 04F2116E

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 5a2e67beb51ca83c9ad907c59c5a845446d181e19dd0b0c8e5e6365b8c73c08e
Instruction ID: 45030c51fb8bc302bb3f0e06407f7af5056e9904e85f773c851fc77cad83dfcc
Opcode Fuzzy Hash: 5a2e67beb51ca83c9ad907c59c5a845446d181e19dd0b0c8e5e6365b8c73c08e
Instruction Fuzzy Hash: A8318F7150D3C06FD3128B258C55B62BFB8EF87610F0981DBE884DF693D225A958C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B9E0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7BA75

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 43923fb764cc1f5d8efbba00cd397a30b72c294f2f601be92ef2ea22fe0650db
Instruction ID: 70385943d2f8e3467f255ec7dedf384b4d72a21155b0029dc1fe7a3920d5f2cc
Opcode Fuzzy Hash: 43923fb764cc1f5d8efbba00cd397a30b72c294f2f601be92ef2ea22fe0650db
Instruction Fuzzy Hash: CB21FB755097806FE7128B25DC41BE2BFBCEF47724F0880D6ED848B153D2646949C771

Uniqueness

Uniqueness Score: -1.00%

Function 04F223D5 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04F22464

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 2f796b5bb58a1c19929e33455df2025648124eef12e203a874c268ce058a09e5
Instruction ID: 931a18c2268bda7ce94da1a17e965ef5c70f4feeed8f3ca5b1d5704c3fd1421f
Opcode Fuzzy Hash: 2f796b5bb58a1c19929e33455df2025648124eef12e203a874c268ce058a09e5
Instruction Fuzzy Hash: 31216D755097849FDB12CF25DD44BA2BFF8EF0A314F0984DAE984CB163D225A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04F20006 Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04F2009E

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: e3ed53b505e1b8694137beb51867c647c4708a1c979824f372df5e16f2e89028
Instruction ID: 8365687753f004612011cac1723fb31f1c8ea955eccf631f17d8ed2f35a7d7f7
Opcode Fuzzy Hash: e3ed53b505e1b8694137beb51867c647c4708a1c979824f372df5e16f2e89028
Instruction Fuzzy Hash: 6831B171409380AFE722CF65CD44F96FFB4EF06214F08849EE9858B692C375A509CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F22A5D Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F22AE4

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 25d4570100ab5602831c743aa2907ce94d0bfb14912c192ae29ce8960717750f
Instruction ID: 78174965ffc6c009b4d629c4724c956cbb2c859649baf7572e4a2f49dca490c2
Opcode Fuzzy Hash: 25d4570100ab5602831c743aa2907ce94d0bfb14912c192ae29ce8960717750f
Instruction Fuzzy Hash: 2121B0715093806FE712CF25DC45BA6BFB8EF46214F0884DAE984DB192D264A948C772

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A078 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 00F7A109

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 337ad31ae1b970c8ed0ee20d9b6365cd6970b6c825c9dab0821099059df510f0
Instruction ID: 11eae9ccaab63881f9a8a138fcd95c8be5a91e918286ddc94b17c3c03d043337
Opcode Fuzzy Hash: 337ad31ae1b970c8ed0ee20d9b6365cd6970b6c825c9dab0821099059df510f0
Instruction Fuzzy Hash: 7F21F57150D3C06FC3128B218C51B66BFB4EF87620F1985DFE884CB693D229A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7A4F8

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3d2313dd978bf2d999eb48acc01722eb01f751974ae6f8069275e168f499a45a
Instruction ID: f3a42aa35c85ac75f83e702098d127b3f34ce6aa47f7fb6e57c95d5493ab58a2
Opcode Fuzzy Hash: 3d2313dd978bf2d999eb48acc01722eb01f751974ae6f8069275e168f499a45a
Instruction Fuzzy Hash: 742195B25043806FD722CF15DC44FA7BFB8DF46220F08849AE949CB652D365E948C772

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B90A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F7B989

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f570c3fc812fd49e1b19fbd26ac0918dd65572bc9afb72488143dc191babe72e
Instruction ID: e46380677cbe2f221c6699d7c620d4ac852be108889c9b74a08dfd741c3cc5da
Opcode Fuzzy Hash: f570c3fc812fd49e1b19fbd26ac0918dd65572bc9afb72488143dc191babe72e
Instruction Fuzzy Hash: 3521A171500200AFEB20CF66CD45BA6FBF8EF09324F04846AEA498B651D371E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 04F2056E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04F205DF

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 848f9cacc039a21bb12e3be4e1336e1bdbbf7b17dd0e73f894bff88f19cf1d0a
Instruction ID: 84136f14bf92e82db68ece48cfa3e9d7b195fb7a02e827a287abc6f592cc780a
Opcode Fuzzy Hash: 848f9cacc039a21bb12e3be4e1336e1bdbbf7b17dd0e73f894bff88f19cf1d0a
Instruction Fuzzy Hash: 10212672A00204AFE720DF25DD45FABFBECEF04210F08846AF945DB641D734E5498AB2

Uniqueness

Uniqueness Score: -1.00%

Function 04F20462 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F204F4

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b45f14d0afbdd227427b04e0291b2a8a4353bfb0e27892d1735c93041440d089
Instruction ID: caa62b530eea1c1e14e0cd0577be7405944ec56b10c1d579763e6ee81b1320e5
Opcode Fuzzy Hash: b45f14d0afbdd227427b04e0291b2a8a4353bfb0e27892d1735c93041440d089
Instruction Fuzzy Hash: 39218C72505740AFD721CF55CD44FA7BBF8EF0A220F08849AEA45CB292D364E548CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00F7A879

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f932d04d49251c221b3a9cbc759217dfbff5f82054698cd6a1f42b22d5757f62
Instruction ID: 64feabaf2dd5b9b0eb23abc57835c30286677b86545dcc462cb005d28aa135f0
Opcode Fuzzy Hash: f932d04d49251c221b3a9cbc759217dfbff5f82054698cd6a1f42b22d5757f62
Instruction Fuzzy Hash: DF21D172900204AEE7219F55CD44FABFBECEF18324F04845BE949CB641D764E54D8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 04F22B47 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F22BC3

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: c1fa43474037e0a899fa0b0b58d56feb2cd819e5c2d9560d50ffc1c1531ab068
Instruction ID: bc9b411f57cd48491e5ea7fc33aa8d7889ccb7959dbcb8ce483aceeb908bcd85
Opcode Fuzzy Hash: c1fa43474037e0a899fa0b0b58d56feb2cd819e5c2d9560d50ffc1c1531ab068
Instruction Fuzzy Hash: 5421D4715093806FD711CF25CC44FA7BFB8EF46220F08849AE944DB152D374A548CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04F22C2B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F22CA7

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: c1fa43474037e0a899fa0b0b58d56feb2cd819e5c2d9560d50ffc1c1531ab068
Instruction ID: 547d6a46fcc9f58aaf39d0bed40057ec8e9906597dc7862d9262bbe9a816fe3a
Opcode Fuzzy Hash: c1fa43474037e0a899fa0b0b58d56feb2cd819e5c2d9560d50ffc1c1531ab068
Instruction Fuzzy Hash: 5221C2715053806FD712CF25CD44FA6BFB8EF46220F08849AE944DB152D364A548CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00F7A6B9

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2843e24ca92611af010339afe1e8821488d7634336aaa597dd46cf41f152a8b5
Instruction ID: 9032c668a9e5102a29c77445dcea121fc1ba690b9d428f0acd1843f978d80e3c
Opcode Fuzzy Hash: 2843e24ca92611af010339afe1e8821488d7634336aaa597dd46cf41f152a8b5
Instruction Fuzzy Hash: D121B0716002409FE720CF65CD45BAAFBE8EF44320F08846AE948CB641D371E909CA73

Uniqueness

Uniqueness Score: -1.00%

Function 04F22CFA Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,1D65AA2D,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 04F22D72

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 018436569f292ef1e83d65bfdd79f79b5f2d4156ef24d1e256b2ec201db3033d
Instruction ID: 34ff34280814f9df5bda31bb118e1f631bb4eebe783e050a5bd37229d48545ea
Opcode Fuzzy Hash: 018436569f292ef1e83d65bfdd79f79b5f2d4156ef24d1e256b2ec201db3033d
Instruction Fuzzy Hash: 0B21B3719097809FD712CF25DC55A92BFF8EF06310F0984DAE984CF263D235A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BCC2 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7BD41

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3b2840f33ab323ecf1393166d31d4656d1a830177b4fac642438a41501265c10
Instruction ID: 510f9aa0bc9ba9b9b96c1f0a5fdbd4ca165ffbe81d4a9bc32f2d4aa22830e792
Opcode Fuzzy Hash: 3b2840f33ab323ecf1393166d31d4656d1a830177b4fac642438a41501265c10
Instruction Fuzzy Hash: 9C21A471505380AFD722CF55DC44FA7BFB8EF46320F08849AE9499B552C335A548CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A140 Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00F7A1C1

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: bc3bda8bae99f7b335e58bba7556164635654f0f93dc474412484cbfef6ea3b3
Instruction ID: 59685342d000299e994d9ad06ffccfcc6f6a9c7205fb680820d8a26378b72fe2
Opcode Fuzzy Hash: bc3bda8bae99f7b335e58bba7556164635654f0f93dc474412484cbfef6ea3b3
Instruction Fuzzy Hash: E1219D7150D3C09FD7128B619C54A56BFB0EF47220F0A84DBD9858B563C269A819DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7A40C

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 68535992afffb07a1d578e9c2f874e17389c636a453449f33b09a524aebc14bd
Instruction ID: 9169be7847e4fe521ea7a21539f4ad960dd872cae7faebd16d2c910952b46b0b
Opcode Fuzzy Hash: 68535992afffb07a1d578e9c2f874e17389c636a453449f33b09a524aebc14bd
Instruction Fuzzy Hash: 2B218E76600604AFE720CF15CC84FAAB7ECEF44720F08C45AE949CB651D361E949DA73

Uniqueness

Uniqueness Score: -1.00%

Function 04F2230F Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F2238B

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 4480126d0ff1c85b6ce8fb88bc2a1118510cb9824c8a3a0d8cae9443450e6aca
Instruction ID: 768734da38266bf847c0eea1c568bfe975a4449572acfd6914a250c2cb87f775
Opcode Fuzzy Hash: 4480126d0ff1c85b6ce8fb88bc2a1118510cb9824c8a3a0d8cae9443450e6aca
Instruction Fuzzy Hash: 7421A1715093846FD722CF15CD44FA7BFB8EF46214F08849AE9489B552C374A548C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F7A780

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b5fe21d9d6a76ec3790758dde00833899d495d3bc2ffa7d7c6f7831bb28862b3
Instruction ID: 8bac108d5f21e94b02f1f9358db8e2abcfa7c71272fb2909bb7029bb9e8a4e61
Opcode Fuzzy Hash: b5fe21d9d6a76ec3790758dde00833899d495d3bc2ffa7d7c6f7831bb28862b3
Instruction Fuzzy Hash: CD2105B55043809FD7018F25DC85792BFB8EF46320F0980ABEC848B653D2359909DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F20032 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04F2009E

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 289f6a7808936c1901afbd9b8574609b78cc0e074fc4649e40e6e4a41cc095d2
Instruction ID: f9657dff49a79c232b7da5e1c6b3eccbe7725d8183f1810dfca698202cf0bb40
Opcode Fuzzy Hash: 289f6a7808936c1901afbd9b8574609b78cc0e074fc4649e40e6e4a41cc095d2
Instruction Fuzzy Hash: D7210472500240AFE721CF55CD40BA6FBE4EF08314F04885DEA458B641D371F449CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04F20F26 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04F20FA2

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: aeb28366800b898989d2b016c7a19ba27abf8d63384fc61f0d2b3210524af782
Instruction ID: 0d7b5d0d7c4ed1ff2c6a8324497ee7e725faec0b62110c65244cde7601a08f7c
Opcode Fuzzy Hash: aeb28366800b898989d2b016c7a19ba27abf8d63384fc61f0d2b3210524af782
Instruction Fuzzy Hash: 12219271508380AFDB228F51DC44BA2FFF4EF0A310F08849AE9858B563D335A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F2071E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04F20792

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 6ec0fdc12b6cfd78eb4b42aec58c89377cf44c5bef823ba431c6f4e7447764a0
Instruction ID: 617a387d1d272157871074f76f4b302e0cca36d62efc6f03aaddf219ada1bef9
Opcode Fuzzy Hash: 6ec0fdc12b6cfd78eb4b42aec58c89377cf44c5bef823ba431c6f4e7447764a0
Instruction Fuzzy Hash: 4E21F072500200AFE721CF55CE85FA6FBE8EF08224F048459EA498B641E775F549CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00F7A97D

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 852244785e3e7772a9a0d251d90b4508a68fb5310443be72cb918ee1938b6bd9
Instruction ID: 5c37e67bbb888422b5a5fe418c17798f46d48db3a9b4662d5c74fd3ab9f8fb6b
Opcode Fuzzy Hash: 852244785e3e7772a9a0d251d90b4508a68fb5310443be72cb918ee1938b6bd9
Instruction Fuzzy Hash: 1721D272500200AFEB218F51DD40FAAFBB8EF48710F14845AEE898A651D375E558DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 04F2138A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04F21413

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b8a6602892ac078bda0f51e5e8ceb4effb8aefb36be3ac1f4989073f0e44734e
Instruction ID: 9317707da34670bfb71ec4bf99143d4e530b686d3135a9bde1d68db41fa05c52
Opcode Fuzzy Hash: b8a6602892ac078bda0f51e5e8ceb4effb8aefb36be3ac1f4989073f0e44734e
Instruction Fuzzy Hash: 7311E4715043406FE721CF11CD85FA6FBB8DF46320F08809AF9488B292C264B948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7A4F8

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d5528fa7b5b5cd781713079b60f0e175615161311a9a2e4897c1ac564139b3c9
Instruction ID: dadf0a486a303c37b981137e7b97eb9b52d66c0d00bae7dc80da3e82d9155957
Opcode Fuzzy Hash: d5528fa7b5b5cd781713079b60f0e175615161311a9a2e4897c1ac564139b3c9
Instruction Fuzzy Hash: 7811B4B2600600AFE720CE15CC45FABB7ECEF54720F08C45AED49CA651D361E9489A73

Uniqueness

Uniqueness Score: -1.00%

Function 04F20482 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F204F4

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8a616b6261b6f3196adfb2407cd3686f7a4f29ad3772c5835d9a5bdc5fe679e1
Instruction ID: bf37822c583688eda935cf880785590b8729315f938f8a8f0c08d04a2decd996
Opcode Fuzzy Hash: 8a616b6261b6f3196adfb2407cd3686f7a4f29ad3772c5835d9a5bdc5fe679e1
Instruction Fuzzy Hash: D011A272600600AFE720CE15CD45FA7B7E8EF09710F08845AEA458B652D760F549CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04F20C8A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F20CE9

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 9cc25a0a3079793bef380801fc0ddc4fb5ad4ce4e62b32e356b39fd0110c1a32
Instruction ID: 2c83092142a2415731ee8da7a251581a57f08dff93e9a31592a74a7825cf68ad
Opcode Fuzzy Hash: 9cc25a0a3079793bef380801fc0ddc4fb5ad4ce4e62b32e356b39fd0110c1a32
Instruction Fuzzy Hash: DD11D372600200AFEB218F55DD44BAAF7A8EF04310F04846AEA45CB655D775F549CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04F22770 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04F227DA

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ac8d40d0e432c4f3ae48b0bce939820cb41be836b6d7429533d6a83c653ddda6
Instruction ID: c3bb97255735c15ce6a6989c34c45af0b1e33305ae381b5fabba02d73229b4d8
Opcode Fuzzy Hash: ac8d40d0e432c4f3ae48b0bce939820cb41be836b6d7429533d6a83c653ddda6
Instruction Fuzzy Hash: CF11A271A053809FD721CF25DD85BA7BFE8EF05210F0984AAE945CB652D234E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04F203BE Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04F2043A

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 002be9d2c3666e105081ffd101dd823de03c1ab7aef0baa89e65f8a4786c5086
Instruction ID: e1da08c99c729bb1c9fd13761b60faceae9b6d0b1a9489544b4d138c670b9dc1
Opcode Fuzzy Hash: 002be9d2c3666e105081ffd101dd823de03c1ab7aef0baa89e65f8a4786c5086
Instruction Fuzzy Hash: F711C8B1505340AFD3118B16CC41F76BFB8EFC6620F19819AEC489B683D625B919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04F22B6A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F22BC3

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 1c23aa54d9e9d56fddd2a83e96595aa69193a6fb071a2e92fd2a375f394b22f2
Instruction ID: 37de34f86e070f98cfa275535ad5e9c95ad488d9969c217d455cbe165d27ce45
Opcode Fuzzy Hash: 1c23aa54d9e9d56fddd2a83e96595aa69193a6fb071a2e92fd2a375f394b22f2
Instruction Fuzzy Hash: D211E772600210AFE710CF55DD45BEAF7E8EF05324F0884AAED45CB641D774E5488BB6

Uniqueness

Uniqueness Score: -1.00%

Function 04F22C4E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F22CA7

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 1c23aa54d9e9d56fddd2a83e96595aa69193a6fb071a2e92fd2a375f394b22f2
Instruction ID: 1ca916d2f8b971a0312cc3a122afce867cdb93ada1788336b5071a2245642747
Opcode Fuzzy Hash: 1c23aa54d9e9d56fddd2a83e96595aa69193a6fb071a2e92fd2a375f394b22f2
Instruction Fuzzy Hash: 5011C476600200AFE711CF15DD45BA6B7A8EF05224F0884AAED45CB641D374E5488AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00F7AF93 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F7AFFE

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3dc602d05711a26ad90f3dd43b1d83079dbaf2206a680aebb285fb3f52d2336a
Instruction ID: 7a307611e490226ad76ce7800d83daa148659f4a1f8a4ae9a1074c14f95c0083
Opcode Fuzzy Hash: 3dc602d05711a26ad90f3dd43b1d83079dbaf2206a680aebb285fb3f52d2336a
Instruction Fuzzy Hash: 1A117271409780AFDB228F51DC44B62FFF4EF4A320F08849EED858B562D275A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F22A8E Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F22AE4

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 1f40e3500a8e2063be2e95ed8cc0ee41a103c106381f1d315b52014458f3bb54
Instruction ID: 340a5b1dbc6acb1f561ef53d347b33e8a5b6dfff02512d12bdbee1e531813c2d
Opcode Fuzzy Hash: 1f40e3500a8e2063be2e95ed8cc0ee41a103c106381f1d315b52014458f3bb54
Instruction Fuzzy Hash: 3911E371600200AFEB11CF15DD45BEAB7A8DF05224F0884AAED05DB641D774E548CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BCE2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7BD41

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3de681dadaf7279a35355f08f7a9b82ae935ef4542eb170fef183118760c66f3
Instruction ID: c9d19389f4b5e9fb2c9fbc325a719fc81a56d19189490e86d395aa05f21c4979
Opcode Fuzzy Hash: 3de681dadaf7279a35355f08f7a9b82ae935ef4542eb170fef183118760c66f3
Instruction Fuzzy Hash: BB110172500200AFEB21CF55CC44FA6FBE8EF09324F08C45AE9498B651C335A5488BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04F22332 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 04F2238B

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 63b442fe5e836e1a99df36077bf0cdb4effbfbbe1b51aaae9e0d69f974467e49
Instruction ID: 8bc6c4edc7b29243f630676ff0743315f87326c86a9b1cdeadd3df69675e5683
Opcode Fuzzy Hash: 63b442fe5e836e1a99df36077bf0cdb4effbfbbe1b51aaae9e0d69f974467e49
Instruction Fuzzy Hash: E111C172600200AEE720CF55CD44BAAFBA8EF04224F0884AAE9489B641D375A5488AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00F7ABC1 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00F7AC20

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2aa060e0ca9c3baa9be4bcadc998f165e78ad6936c41fc0541144feb61ae9b50
Instruction ID: 2bb4122f6d30cc9accc98eb2cd4ccd1742ef4aeab18e20b5f0dee58e15a2a3b3
Opcode Fuzzy Hash: 2aa060e0ca9c3baa9be4bcadc998f165e78ad6936c41fc0541144feb61ae9b50
Instruction Fuzzy Hash: 8D1190715093C0AFDB128B21DC44AA6BFB4EF47220F0884DBED888F153C275A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F7A330

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5969b8ed49e361c27635a76aa0a4d5ec32ee1c84800cccb822fe9895de4d4d34
Instruction ID: 984deee3721d38d2d3f1bb3da1241531d772dcc001747189fd097ddb4a7f71fd
Opcode Fuzzy Hash: 5969b8ed49e361c27635a76aa0a4d5ec32ee1c84800cccb822fe9895de4d4d34
Instruction Fuzzy Hash: 29118F718093C0AFDB128B25DC54A66BFB4DF47220F0980DBED858B263C266A918D773

Uniqueness

Uniqueness Score: -1.00%

Function 04F213AA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04F21413

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3d0a07b8038b6550df4464aba59a9dd1f41ceabc2943f9e9524b15df41555e59
Instruction ID: fd4d1ee875f36f532dc187fe6ba7ecf4363ec02c284cc9c6f8cf8dc4193daacb
Opcode Fuzzy Hash: 3d0a07b8038b6550df4464aba59a9dd1f41ceabc2943f9e9524b15df41555e59
Instruction Fuzzy Hash: D511C271600600AEE7208F15DE41FB6F7A8DF05724F148059ED498B685D3B5B5498AB6

Uniqueness

Uniqueness Score: -1.00%

Function 04F2240E Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04F22464

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 077f92852b8857e033f7faca38371c4935926f3b28ed218bb2d9b42345e4b9e9
Instruction ID: f70de444a38549231c82e0d14281e325a804ec52f67af5a6de44deae9cddeced
Opcode Fuzzy Hash: 077f92852b8857e033f7faca38371c4935926f3b28ed218bb2d9b42345e4b9e9
Instruction Fuzzy Hash: D4118C75A006409FDB20CF15D984BA2FBE8EF18710F0884AADD49CB652E339F549CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04F22792 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04F227DA

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3802a61d387ad94a11f439c30ae191bf8d82ab34015c9e2ed5b0d59e08910bd6
Instruction ID: 84e5a3f65efc2f60089bd0ff60b73575ad43ea712fbca490a63852a007b7b09e
Opcode Fuzzy Hash: 3802a61d387ad94a11f439c30ae191bf8d82ab34015c9e2ed5b0d59e08910bd6
Instruction Fuzzy Hash: C2118E72A042008FDB60CF29D985BA6FBE8EF14620F08C4AADD49DB742D675E405CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BA22 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,1D65AA2D,00000000,00000000,00000000,00000000), ref: 00F7BA75

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4d91d44363f9f71c5fd7fbae73f58b3e464b401cba7f59905e489c77ede5147f
Instruction ID: 2f8ce3a40c49e9bc7c62cc5f42f66deabdf8489741ccbc9827e27dd02dd07c35
Opcode Fuzzy Hash: 4d91d44363f9f71c5fd7fbae73f58b3e464b401cba7f59905e489c77ede5147f
Instruction Fuzzy Hash: CD01D671A00200AEE710DF05DD45FE6F7A8DF55724F18C056ED098B741D378E9488AB7

Uniqueness

Uniqueness Score: -1.00%

Function 04F20F56 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04F20FA2

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5ecf49fe6b6f34dbae10e86a83fa019b1f83ee389b75f4f6e755f10bd781b57f
Instruction ID: a053a59fb9c800c2f30886b9554fe22767cc8555e34666d8a187fcba89a34710
Opcode Fuzzy Hash: 5ecf49fe6b6f34dbae10e86a83fa019b1f83ee389b75f4f6e755f10bd781b57f
Instruction Fuzzy Hash: 13115E725006449FDB20CF55D944B66FBE4FF08210F08C45ADE458B652D735E459DF62

Uniqueness

Uniqueness Score: -1.00%

Function 04F22D32 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,1D65AA2D,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 04F22D72

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 8c149f2941ee67b562c3382cf69a9ae91835eff002d81305787b110828530f06
Instruction ID: 551094aa4b0a6e3989a4ab403b36e0c4bbfdaf1a157eecdaa53adf2646412835
Opcode Fuzzy Hash: 8c149f2941ee67b562c3382cf69a9ae91835eff002d81305787b110828530f06
Instruction Fuzzy Hash: 1811A171A002008FDB20CF25D984BA6FBE4EF04220F0884AAED49CB792D235E404CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A0BE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 00F7A109

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: fc7bb71ee6bdde1f157fe514b6df04f52712a501cd6445df97efb17811eb4db6
Instruction ID: bbd57a0a6dccbe8d3895b406b696083d42cb03d39bd46defd4942789cc0bf363
Opcode Fuzzy Hash: fc7bb71ee6bdde1f157fe514b6df04f52712a501cd6445df97efb17811eb4db6
Instruction Fuzzy Hash: E7017171A00200ABD310DF16DD45B76FBE8FB88A20F14855AED089BB41D735B955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04F2111E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 04F2116E

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 113c250b779bad64ed991b6387bb49d94d10097e7e75647d64013ceeeff943fd
Instruction ID: 620f314b9c0d672755c299af3bdd6d3c56dacf0428d0af105276e23381f31105
Opcode Fuzzy Hash: 113c250b779bad64ed991b6387bb49d94d10097e7e75647d64013ceeeff943fd
Instruction Fuzzy Hash: A201B171A00200ABD310DF16CD45B76FBE8FB88A20F14851AEC089BB42D731B955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F7AFBA Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F7AFFE

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7fde72bd12f869cfbd34df4f71baba69e8e06b6c00ae36d58a1379dcd057bca1
Instruction ID: 5c2afbfe63ca44460caac8aabfe50abb76d035b43337a7dc75b58b4e6517acbe
Opcode Fuzzy Hash: 7fde72bd12f869cfbd34df4f71baba69e8e06b6c00ae36d58a1379dcd057bca1
Instruction Fuzzy Hash: D0018B329006409FDB208F55D844B66FBE0EF49320F08C89EDE494B652C336E428EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F7A780

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 09dd07bac0552f378bedae4fe1396193229df98e8f1022747e53286f50318c9d
Instruction ID: ca23ddee66afa31a105c92927da887eade8f7b87cafa0f70bcb370fff2772139
Opcode Fuzzy Hash: 09dd07bac0552f378bedae4fe1396193229df98e8f1022747e53286f50318c9d
Instruction Fuzzy Hash: D601DF71A002408FEB10CF15D9857AAFBE4DF45320F08C4ABDD498B742D275E808DEA3

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BEAE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00F7BEFE

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6d4016c3f657359853483e8c8e049bc5492dc676b71e32143c6e45fbabcf11b8
Instruction ID: 4c654d2490cabceff9fcf9fd5ae78bada48a64637da0f2109995235ce3de0730
Opcode Fuzzy Hash: 6d4016c3f657359853483e8c8e049bc5492dc676b71e32143c6e45fbabcf11b8
Instruction Fuzzy Hash: 9501A271500200ABD210DF16CD46B66FBE8FB88A20F14811AEC089BB42D771F955CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04F203EA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04F2043A

Memory Dump Source

Source File: 00000003.00000002.4072531709.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f20000_chargeable.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: cb78d2d47ee5f9f56adc11b8c96db6cc87c36d56e40ac8b6a56f6519ddcda984
Instruction ID: 18e919117cbc569ec8545475ba9555b9c9d9170b9daf69703de1aa2e73a8168f
Opcode Fuzzy Hash: cb78d2d47ee5f9f56adc11b8c96db6cc87c36d56e40ac8b6a56f6519ddcda984
Instruction Fuzzy Hash: 6001A271500200ABD210DF16CD46B66FBE8FB88A20F148159EC089BB41D731F955CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00F7ABEE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00F7AC20

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6d17371a39c94104450f2928e63b509b14a7d5d475fcf550fbc014cc65e0292a
Instruction ID: ea4dc6a94681db331c83aaf5c67bcc4f4fd203df1f7d21ff58154638148f3f12
Opcode Fuzzy Hash: 6d17371a39c94104450f2928e63b509b14a7d5d475fcf550fbc014cc65e0292a
Instruction Fuzzy Hash: 6D01F2719002409FDB10CF05D88476AFBE4DF44320F18C4ABDD088F202D275E548DEA3

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F7A330

Memory Dump Source

Source File: 00000003.00000002.4068333472.0000000000F7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f7a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 70ec9dc5f0fd15ccf975a439ed8d3448d243580bfbc96c57181604d11be6782b
Instruction ID: ea38cb14c72bc1aee70cc0c4bb60322cb0ca4da3972959d4dc652db57caef2b1
Opcode Fuzzy Hash: 70ec9dc5f0fd15ccf975a439ed8d3448d243580bfbc96c57181604d11be6782b
Instruction Fuzzy Hash: B5F0FF32904240CFDB50CF09D884769FBE0EF55320F08C09ACD090B352D27AE808DEA3

Uniqueness

Uniqueness Score: -1.00%

Function 05451E30 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4072885329.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6f1b0859a233b099ddcfb29ef7403f2074f73cac2d860be5206ae4e8b0f947
Instruction ID: 143e92203d2ddda0b561a1a454ad4cdb98ce1494b123be06564c1f24d4409d98
Opcode Fuzzy Hash: 0c6f1b0859a233b099ddcfb29ef7403f2074f73cac2d860be5206ae4e8b0f947
Instruction Fuzzy Hash: 6811B8B5A08341AFD340CF19D840A5BFBE4FB98664F04895EF99897311D231EA188FA3

Uniqueness

Uniqueness Score: -1.00%

Function 01080814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068721759.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8ef6ac6adf6adaae35179e2c8b3741dfe6f68c14f3c4e793e59a79e4f8843e
Instruction ID: 21127c2b21891f2a64de598b6a87b11cb6ac2e99daa12bae50fae7f7618edc7a
Opcode Fuzzy Hash: 5b8ef6ac6adf6adaae35179e2c8b3741dfe6f68c14f3c4e793e59a79e4f8843e
Instruction Fuzzy Hash: 6B11E430618284DFD711DB14D540B25BBE5AB89708F24C9ACF9C90BB47C737D84ACA82

Uniqueness

Uniqueness Score: -1.00%

Function 010807DE Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068721759.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce8f4eb344227b621f1cedc58e4e17991f816e57ab71136cbc1d9eea754e261
Instruction ID: e49362a0d6c24b45bcb502ee95968d1ab69366506c7823c19811e0a1970b985b
Opcode Fuzzy Hash: fce8f4eb344227b621f1cedc58e4e17991f816e57ab71136cbc1d9eea754e261
Instruction Fuzzy Hash: E2215B3050D3C4CFC7138B24C950B11BFB1AB46218F1985EED4C54B663C33A984ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F8AFBC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068447479.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f8a000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c812dbefe99b37721480f439b7999d2f0bc056399392ceb7ba4b5d86d86615f8
Instruction ID: 134fcc1bb7aeb06fa297cde888854e59669402d33e036fc832ccfddb95050909
Opcode Fuzzy Hash: c812dbefe99b37721480f439b7999d2f0bc056399392ceb7ba4b5d86d86615f8
Instruction Fuzzy Hash: 5911BAB5A08301AFD350CF09DC41E5BFBE8EB98660F04895EF95997311D271E9188FA3

Uniqueness

Uniqueness Score: -1.00%

Function 05451CD4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4072885329.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e341a2b9a565ab1f0520d4fe1bb7645ec3454b240db7a9444d2cefadd16f40e1
Instruction ID: 9a83550e40e4d5d1d90ce3d1e45b38c82343153be06381335ad7b7c53602eda6
Opcode Fuzzy Hash: e341a2b9a565ab1f0520d4fe1bb7645ec3454b240db7a9444d2cefadd16f40e1
Instruction Fuzzy Hash: 6211FAB5A08301AFD350CF09DC80E5BFBE8EB88660F04895EF95997311D231E9088FA3

Uniqueness

Uniqueness Score: -1.00%

Function 010805E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068721759.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93de8067544d749f96be70b2fc08b4d6f878381a9903272ddf739d4621477175
Instruction ID: 46a43becbf213b06f6b802a4440d154471d50182fb2a346f295393ad4fd403a5
Opcode Fuzzy Hash: 93de8067544d749f96be70b2fc08b4d6f878381a9903272ddf739d4621477175
Instruction Fuzzy Hash: 490186B55497805FC711CB16AC51897BFE8DF8623070984ABE8898B612D225B919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010808D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068721759.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction ID: ebcc985747aee7e624ccdc6f5a6b8a7cf181d32643ed99279055f451b85fb499
Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction Fuzzy Hash: 62F06D35108640DFC702CF04D580B15FBE2EB88718F24CAADE88807B56C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 01080606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068721759.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e238b13b8a656c0e3f99d6c5987cac23e22c174eef167ca6408c1eb57c33a5d5
Instruction ID: 2560e02d58cc6a785163f235b723e0255339ee4a1670f85bc7ee4ce03c2b873f
Opcode Fuzzy Hash: e238b13b8a656c0e3f99d6c5987cac23e22c174eef167ca6408c1eb57c33a5d5
Instruction Fuzzy Hash: 81E092B66006408BD750CF0BEC414A2F7D8EB88630B08C07FDC0D8B701D236F508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B00B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068447479.0000000000F8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f8a000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3596d25dd37f7a4a0472c42f41ef123e923cc1771f8a59be948e9a8e6094fa
Instruction ID: 7fc0a9fb4484886cd9e8162d308fb4c7ccfa462ea4285b0282548bd95ba6adf4
Opcode Fuzzy Hash: 0e3596d25dd37f7a4a0472c42f41ef123e923cc1771f8a59be948e9a8e6094fa
Instruction Fuzzy Hash: 39E0DFF2A4020467D2108E06AC46FA3FB98DB54A71F08C56BEE091B702E172B5188AF6

Uniqueness

Uniqueness Score: -1.00%

Function 05451747 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4072885329.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7912dffdf518da63109d77c539e4b091b1bfc03311f311712951e632a41e28e2
Instruction ID: 3842aeb2cd3264a2aa441dd74cd2d573951a3fe6e04f9e8635a6bc3d4745b16d
Opcode Fuzzy Hash: 7912dffdf518da63109d77c539e4b091b1bfc03311f311712951e632a41e28e2
Instruction Fuzzy Hash: 36E0D8B250020067D210DE06AC45F63FB98DB54A30F04C567ED091B702D172B614C9F6

Uniqueness

Uniqueness Score: -1.00%

Function 05451D23 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4072885329.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead68375477212c90deee925337541beec71ce25aa1fa0d937332b40764850e4
Instruction ID: ba10715cb5ad1212443b50afeae1f94a8a41c94897199155a46d3f1ec111f7f7
Opcode Fuzzy Hash: ead68375477212c90deee925337541beec71ce25aa1fa0d937332b40764850e4
Instruction Fuzzy Hash: 17E0D8B250030467D2509E06AC45F63FB98DB54A30F04C557ED091B702E172B51489F6

Uniqueness

Uniqueness Score: -1.00%

Function 05451E9B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4072885329.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162576f9af566fe88d733bcc36f0557b95d73ebebe7c46248ec2dc816f59bfda
Instruction ID: 59c1015d81493fce7baa0484d3d779df3dc0f18418eb26eb1f019bce3e0dd1fe
Opcode Fuzzy Hash: 162576f9af566fe88d733bcc36f0557b95d73ebebe7c46248ec2dc816f59bfda
Instruction Fuzzy Hash: 3EE0D8F264030067D3108E06AC45F63FB98DB54A70F04C567ED081B742D172B51889F6

Uniqueness

Uniqueness Score: -1.00%

Function 00F723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068315127.0000000000F72000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F72000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f72000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9062d2db1a2b8919a9371f29dcfea0fe74619b914e47f164a4566dde4347ea0f
Instruction ID: 18a1c9ec7d0dddcbb94a181d154fed5946b1ebc12d4a998ab90f05e344932a6e
Opcode Fuzzy Hash: 9062d2db1a2b8919a9371f29dcfea0fe74619b914e47f164a4566dde4347ea0f
Instruction Fuzzy Hash: F1D05E7A6056C18FD316DE1CD1A4B9537D8AB61724F4A84FAA8048B763C768D981E601

Uniqueness

Uniqueness Score: -1.00%

Function 00F723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4068315127.0000000000F72000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F72000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f72000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638a61272152aa6299c0d8d4f6a114ed94efa01542a2b6df8dbde2afe2fd221e
Instruction ID: 4a5b50d9a8bbebd2370332d200c658ce04a317d827af03ea020dded0f76c0d6d
Opcode Fuzzy Hash: 638a61272152aa6299c0d8d4f6a114ed94efa01542a2b6df8dbde2afe2fd221e
Instruction Fuzzy Hash: C4D05E346006814BC755DA0CC6D4F5937D8AB50B24F1A84EDAC108B762C7A8D8C1DA01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011C2450 Relevance: 12.6, Strings: 9, Instructions: 1370COMMON

Download Yara Rule

Strings

:@k, xrefs: 011C2F6D
:@k, xrefs: 011C2DC7
:@k, xrefs: 011C2EDA
, xrefs: 011C3127
:@k, xrefs: 011C2A46
:@k, xrefs: 011C39FA
:@k, xrefs: 011C29A0
, xrefs: 011C3131
:@k, xrefs: 011C2B24

Memory Dump Source

Source File: 00000003.00000002.4068896029.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_chargeable.jbxd

Similarity

API ID:
String ID: $ $:@k$:@k$:@k$:@k$:@k$:@k$:@k
API String ID: 0-1999185200
Opcode ID: e6354e62718d5d16d2ed6d6b78c32fecee2f05306eb4d98bb8fc89cf75c7ceac
Instruction ID: 45e9a3b6dfd86819cf2f08aa17697ca23b7e09d2ca0be4de3ffda577ea715d6a
Opcode Fuzzy Hash: e6354e62718d5d16d2ed6d6b78c32fecee2f05306eb4d98bb8fc89cf75c7ceac
Instruction Fuzzy Hash: C6B29D30B002108FDB18EB74C855BADB7A2BF98708F1580A9E509DB7A5DF35DD85CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chargeable.exePID: 7412, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	11

Executed Functions

Function 014700E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1800638326.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1470000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6ba4270a5f0cabfd7af2921b0a39436fb21d9a6645a3d1d692ebaee358b845
Instruction ID: 3c7bf4cb3a9436d224bdfe024dd8f1e8d6418eff381b072f756f03572277c75a
Opcode Fuzzy Hash: de6ba4270a5f0cabfd7af2921b0a39436fb21d9a6645a3d1d692ebaee358b845
Instruction Fuzzy Hash: 7D143734600704DFD765DB30C994AEAB3B2EF89304F5188A9D55AAB360DF36AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014798A0 Relevance: 2.7, Instructions: 2697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1800638326.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1470000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8a4c301e30db4ce44739945c0a7f6b1c1c9210af04094c8778ba80bb1c9597
Instruction ID: 19bf2eb54565ba28e26976d325662a470126f859eba900d4ba29fc1ff1f7a442
Opcode Fuzzy Hash: 1f8a4c301e30db4ce44739945c0a7f6b1c1c9210af04094c8778ba80bb1c9597
Instruction Fuzzy Hash: 2933D43C3055218B8606FB21E56066F6BA7E7C9A58318C725C9114BB84CF3CFE9B8BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0107AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0107ACD1

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d9de4eef408db49260193c971f0b8e67a13ea0fe10788d0df7bce3c885bad46c
Instruction ID: 0890113db0b9fe4fcb9c7b4428434d87936384709a0bdcbb049cc5453cabab85
Opcode Fuzzy Hash: d9de4eef408db49260193c971f0b8e67a13ea0fe10788d0df7bce3c885bad46c
Instruction Fuzzy Hash: 8F31A271504384AFE7228B55CC45FA7BFFCEF06610F08849AE9858B652D264E94DCB71

Uniqueness

Uniqueness Score: -1.00%

Function 0107AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D1E9D443,00000000,00000000,00000000,00000000), ref: 0107ADD4

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 15c26032973b1a4ef9b08bfe18267062d90a95caadaf98fb1c81eb50f61b93a5
Instruction ID: 2d4c684fa9ef0acca6140bac157633c1577a56083a666a1e10cf96cd0c6fdbcb
Opcode Fuzzy Hash: 15c26032973b1a4ef9b08bfe18267062d90a95caadaf98fb1c81eb50f61b93a5
Instruction Fuzzy Hash: 1F31A1716053809FE722CB25CC44FA6BFF8EF06310F08849AE985CB252D360E948CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0107A2AC Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0107A346

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9742e1629bed9af9a75ca53ece62701c95caaca5f0be3dfa56788260461d8577
Instruction ID: 8713173e01e1e4f42e8de1cfe6761a92a0a03266277a8eb259b47774b53fad46
Opcode Fuzzy Hash: 9742e1629bed9af9a75ca53ece62701c95caaca5f0be3dfa56788260461d8577
Instruction Fuzzy Hash: 5121D47150D3C06FD3138B259C51B62BFB8EF87610F0A40CBE884CB693D225A919CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0107AC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0107ACD1

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9f8a4a4d628c1e2a96fa19da0a4c10b5a2fa23a9725ed934a12aa82a83e9de94
Instruction ID: 2421a09dba511bf0783a3114aff3da99f7f7790386d5109777a2fc2d49f2c0ea
Opcode Fuzzy Hash: 9f8a4a4d628c1e2a96fa19da0a4c10b5a2fa23a9725ed934a12aa82a83e9de94
Instruction Fuzzy Hash: D921D172A00204AFE7219F55CD44FABFBECEF04714F08845AE945CB642D324E94C8AB6

Uniqueness

Uniqueness Score: -1.00%

Function 0107AD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D1E9D443,00000000,00000000,00000000,00000000), ref: 0107ADD4

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ad384ede200715b913066ce3767adc841c2b6583000c3d681397fe27820ecf4c
Instruction ID: d8c22c85db2bea94b459b9de5e6a08e5c5cf2f12c87410f7baff9930f2ffb0fb
Opcode Fuzzy Hash: ad384ede200715b913066ce3767adc841c2b6583000c3d681397fe27820ecf4c
Instruction Fuzzy Hash: 44216375B00604AFE761DF15DC44FABB7ECEF04710F08845AE946CB651D760E948CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0107BAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 0107BB2C

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d51f4edce816b1d551789cf4e80c48e1fff316b050c242ab6e1f919810aaf0f
Instruction ID: 93a9ea1f6c9b46ff9e196f34a79a42529a7bd6aad27fb4a8793acb0ef7ac6ef2
Opcode Fuzzy Hash: 2d51f4edce816b1d551789cf4e80c48e1fff316b050c242ab6e1f919810aaf0f
Instruction Fuzzy Hash: DE216F719093C05FDB528B29DC94792BFB4EF47214F0D84DAED848F657D264A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0107B42D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0107B4A9

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 244d21c0dd76bed8a1b9e6cd2b05844c6c1c4a7edda6b4bdfd0d76bb924141c0
Instruction ID: 3b86e766eee1b29bab42fe83e4a41e488f64747fdd48fe70d1a07d374361d488
Opcode Fuzzy Hash: 244d21c0dd76bed8a1b9e6cd2b05844c6c1c4a7edda6b4bdfd0d76bb924141c0
Instruction Fuzzy Hash: CB2172B55097805FDB628F15DC45B62BFF8EF46614F0884CAED84CB293D265E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0107BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0107BCBF

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: f459d02f7b7e8951d197ef992af56ceed83cae14e2ed038aecc4123379681e9d
Instruction ID: 9fdaf2e30d4f3b27b14ed2ae52155c49c4e6a5699e8ecb0504959132db9ce9a9
Opcode Fuzzy Hash: f459d02f7b7e8951d197ef992af56ceed83cae14e2ed038aecc4123379681e9d
Instruction Fuzzy Hash: 3D21A5B19093849FD752CF25DC45B52BFF4EF46210F0984DAED848F263D274A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0107A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107A666

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 95a2b8a7c06cd68059f6f0fc5c998471e321ad22f78f5637c1ac562f8edb0c49
Instruction ID: bc85aa6726ba6e160402cb535759ee6548a5e327acc548007f82e546264b1072
Opcode Fuzzy Hash: 95a2b8a7c06cd68059f6f0fc5c998471e321ad22f78f5637c1ac562f8edb0c49
Instruction Fuzzy Hash: B411A271509780AFDB228F55DC44A62FFF4EF4A210F0888DAED858B562D235A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0107BD75

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 316a733489b837ad2b67bd9917a0bd8e9e03fde4723797d8d122912f086c97c0
Instruction ID: e0e8079bb9187ca84d2b526932beae287940fca79d31cd471580019a7a80d22f
Opcode Fuzzy Hash: 316a733489b837ad2b67bd9917a0bd8e9e03fde4723797d8d122912f086c97c0
Instruction Fuzzy Hash: EF11C471504380AFDB628F15DC45B62FFF8EF46624F08C09EED858B663D261E918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0107A480

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3c74e2a228c63753047afc17cb94e1fd7e822342823b32e86c7ab919f33d25b2
Instruction ID: 48b59488b15406239d8d92943c24bd5731a51b9a86ff48ab25cf78cc3d7ae38e
Opcode Fuzzy Hash: 3c74e2a228c63753047afc17cb94e1fd7e822342823b32e86c7ab919f33d25b2
Instruction Fuzzy Hash: DE016175549384AFD7128F15DC48B62BFB8EF86620F08C0DAED854B252D275A908DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0107BD75

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: f1ea5cd21a182146efe8004f7660ae685a381da2eae5b73e5e65ce57dbca29ff
Instruction ID: f821d678a7f8a309018524cf5971859d356d4af4cc969853c035241a79507c06
Opcode Fuzzy Hash: f1ea5cd21a182146efe8004f7660ae685a381da2eae5b73e5e65ce57dbca29ff
Instruction Fuzzy Hash: DD01F531A006008FDB619F1AD844B56FBE4EF14620F08C09AED458B752E271E808CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 0107B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0107B4A9

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: fc14363736452472e8abe6b1da3ab3ad4257c4bc383d3a6d304e6a5b025db79c
Instruction ID: 455d20d435ecb059546ab437ad8a80a9de6b1ae8686cf11fbf397c5a2963d287
Opcode Fuzzy Hash: fc14363736452472e8abe6b1da3ab3ad4257c4bc383d3a6d304e6a5b025db79c
Instruction Fuzzy Hash: B001B571A002009FEB60CF19D845B62FBE8EF14620F08C099ED898B752D775E408CF76

Uniqueness

Uniqueness Score: -1.00%

Function 0107A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107A666

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63f4a4ebac48b7cfc4e6dcd4c9a4f428e0143df57f4956e1a19631ea4109e3e7
Instruction ID: 795a7b0c863f06410b6006b4b886ba53182748805ae109878d0ce7e2ef470877
Opcode Fuzzy Hash: 63f4a4ebac48b7cfc4e6dcd4c9a4f428e0143df57f4956e1a19631ea4109e3e7
Instruction Fuzzy Hash: BD01C432A00600DFDB218F55D844B56FFE4EF48710F08C89AED854B612D335E514CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0107BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0107BCBF

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: fba7a6cf2481c20ac0cfb0f72bafbb7c7397a43a57c76a9aeb8720e0768f4a0b
Instruction ID: 914bd57f2076aef6f98ecf2223933e9ff51b169a0e21fdb9806c7572a502185f
Opcode Fuzzy Hash: fba7a6cf2481c20ac0cfb0f72bafbb7c7397a43a57c76a9aeb8720e0768f4a0b
Instruction Fuzzy Hash: C201D471A002049FEB50DF19D885766FBE8EF04620F08C4EADD88CB342D675E504CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0107A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0107A346

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b761e0e7aada33f0ae8880dd52cf02d2bb14e3032dab55c22a80b31418c2483c
Instruction ID: fa6faaf20245c144cd5a72a4df856b2359a9c446c298e08fac6ed92826a7637a
Opcode Fuzzy Hash: b761e0e7aada33f0ae8880dd52cf02d2bb14e3032dab55c22a80b31418c2483c
Instruction Fuzzy Hash: CB01A271600200ABD310DF16CD46B66FBE8FB88A20F148159EC089BB41D731F955CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0107BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 0107BB2C

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b3b9ae66923e870e170ef6fcde891952caf660ddae3134648b6c5e69b2cae51e
Instruction ID: 6b0476105e716daab83685252f01bd54315d71b55c8f6e0a61381bd52f71e03c
Opcode Fuzzy Hash: b3b9ae66923e870e170ef6fcde891952caf660ddae3134648b6c5e69b2cae51e
Instruction Fuzzy Hash: 6801D471E002408FDB60CF19D884776FBE4EF04620F08C4AADD48CF34AD2B4E504CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0107A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0107A480

Memory Dump Source

Source File: 00000004.00000002.1799927212.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3c7b940c14ea1b8dc4ff440572b4deb13c18f69f080693b6c7ff31343ceee5a6
Instruction ID: b12158af2b59be1c636bff986b3a7d9bb7dafd759f2567965d15c5b5042b7b10
Opcode Fuzzy Hash: 3c7b940c14ea1b8dc4ff440572b4deb13c18f69f080693b6c7ff31343ceee5a6
Instruction Fuzzy Hash: 45F0F435A00240CFDB108F05D888765FBE4EF45620F0CC09ADD840B352D77AE508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 0147C7C0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1800638326.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1470000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a1dc57404e7015bf6119f125131efa3dff74ebcc3aff542d0beea40c2d95ce
Instruction ID: 4f23f95086d6874813f4adeb0fffd1d370f57e2c347c659797301abc99122b07
Opcode Fuzzy Hash: 97a1dc57404e7015bf6119f125131efa3dff74ebcc3aff542d0beea40c2d95ce
Instruction Fuzzy Hash: 7C311534A08343CFC712CB69D8909AEBBB1FF84315B254067D451D73A6DB389D85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0147CB00 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1800638326.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1470000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43011aecc81065a70d8dd0cd117f711ba336e02268ce6b9ff68b33a62c36d19a
Instruction ID: 82c75c5f648ba7867ef101758a53336c776f03f95953939ae21c03745c99f00d
Opcode Fuzzy Hash: 43011aecc81065a70d8dd0cd117f711ba336e02268ce6b9ff68b33a62c36d19a
Instruction Fuzzy Hash: A931B530F04206CBDB659B7994987FE7AE6ABC8210F14402BE901EB764CF758C469BD2

Uniqueness

Uniqueness Score: -1.00%

Function 01470006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1800638326.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1470000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee210839f84911e911c05b976e44765b97d897886836a88169bbd6789a51b08
Instruction ID: cd62e290220bf7e81ab14f359f70ac9d5a868958139c01f0444818727e92559f
Opcode Fuzzy Hash: 4ee210839f84911e911c05b976e44765b97d897886836a88169bbd6789a51b08
Instruction Fuzzy Hash: 8511CB6118F7C21FC74367B048300997F725E1316430B42DBC0C4CE8A3DA4E599AC7A7

Uniqueness

Uniqueness Score: -1.00%

Function 014E0734 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1801087464.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14e0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692d5f25aa38e087bc04c40c0bd098539a0d7ab9e50709c83772dc24313cce24
Instruction ID: b4dd6c2bd1ab820984859440608bcb525d860f2eb0c3d431ec694d7c582be8d1
Opcode Fuzzy Hash: 692d5f25aa38e087bc04c40c0bd098539a0d7ab9e50709c83772dc24313cce24
Instruction Fuzzy Hash: C1215E3514D7C19FC713CB24C9A0B56BFB1AF47208F19C6DED4849B6A3C67A8806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014E076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1801087464.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14e0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638d9602527a9394ba82c08bb952ceaeed6f72361a48373541e0911009178dd5
Instruction ID: bf8df76458d0416354ad2fd49565501d57f6bd45e9f1963eeb26600a2878bceb
Opcode Fuzzy Hash: 638d9602527a9394ba82c08bb952ceaeed6f72361a48373541e0911009178dd5
Instruction Fuzzy Hash: 5011E430344280DFD711CB14D984B26BBE1EB89709F28C99EF5490BB62C7B7D803CA81

Uniqueness

Uniqueness Score: -1.00%

Function 014E05D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1801087464.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14e0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ccbbc6836694fbe63f16127edeecff9ceb66174a9c4ef8d68d391fbe7475ee
Instruction ID: cae8b0a11d1df1e2ef578024719b6b1c1f75ae48d1a1838e4da6a48d4d0992f9
Opcode Fuzzy Hash: 09ccbbc6836694fbe63f16127edeecff9ceb66174a9c4ef8d68d391fbe7475ee
Instruction Fuzzy Hash: 570188765497805FCB128F15EC448A2FFE8EB86620708C49BE84987752D225B909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014E05E2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1801087464.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14e0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94eaf1145068ab6ab681b9ddded123f8a603e08de8d8aa80dfa926849bbbf61f
Instruction ID: f9fe48706b3dffb04af9f54ba36e243484b23df871b35727c305d23da7517874
Opcode Fuzzy Hash: 94eaf1145068ab6ab681b9ddded123f8a603e08de8d8aa80dfa926849bbbf61f
Instruction Fuzzy Hash: 910186B65097806FD712CF16AC45862FFB8EF86520709C4DFEC498B652D125B909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 014E0828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1801087464.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14e0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction ID: 89dae1fed6ec15568c6312941e6a6fb660c4df3557920204824f050ed480e9a7
Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction Fuzzy Hash: 8DF04B35244644DFC202CB04D980B16FBE2EB88718F24CAA9E84907762C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 014E0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1801087464.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14e0000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1942033c39be2c00ca5c9391d03ae2fad859311a2e8b1cf55e12cd99ef7d62ba
Instruction ID: e2b2b75678daeaf1d744b6abbfdc53974916987b0f1429d47ff7c5aa0a3c2a6d
Opcode Fuzzy Hash: 1942033c39be2c00ca5c9391d03ae2fad859311a2e8b1cf55e12cd99ef7d62ba
Instruction Fuzzy Hash: E0E06DB66006004B9750DF0AEC45452F7D8EB84630708C06BEC0D8B701E235B5088AA6

Uniqueness

Uniqueness Score: -1.00%

Function 010723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1799914479.0000000001072000.00000040.00000800.00020000.00000000.sdmp, Offset: 01072000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1072000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8590ff22eac96973435fc26cf3f66870a9f5129e6756f0791d298e28405d60
Instruction ID: af50e4469f0c184c0f844540f7e0f1234d7642521c9e74dcca128a5d41fbb5e0
Opcode Fuzzy Hash: 9e8590ff22eac96973435fc26cf3f66870a9f5129e6756f0791d298e28405d60
Instruction Fuzzy Hash: AAD05E7A6056C58FE3169A1CC1A4B953BE8AB61714F4A44F9A8408B763CB68D5D1D600

Uniqueness

Uniqueness Score: -1.00%

Function 010723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1799914479.0000000001072000.00000040.00000800.00020000.00000000.sdmp, Offset: 01072000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1072000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e277477f76a2d8e73c12e3d33f79ce0efba02812fce00ebe786e88442a4c9d
Instruction ID: baa7136c090c7f7ef4511bbc1bd1ee623304c12e49634627518240d1a098e361
Opcode Fuzzy Hash: b1e277477f76a2d8e73c12e3d33f79ce0efba02812fce00ebe786e88442a4c9d
Instruction Fuzzy Hash: C1D05E347006814BD715DA0CC6D4F593BD8AB50B14F1A84ECAC508B762C7A4D8C1CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report G2Hseja2zK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\G2Hseja2zK.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

C:\Users\user\AppData\Roaming\confuse\chargeable.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
G2Hseja2zK.exe

Function 014A00D0 Relevance: 9.1, Instructions: 9145
COMMON

Function 014A00E0 Relevance: 9.1, Instructions: 9140
COMMON

Function 014A98A0 Relevance: 2.7, Instructions: 2697
COMMON

Function 014A9828 Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Function 05380B60 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00F8AC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Function 00F8AD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Function 05380F83 Relevance: 1.6, APIs: 1, Instructions: 81
registryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre