Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe

Overview

General Information

Sample name:1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe
Analysis ID:1526100
MD5:8835790c46351f49444f7a5e73d4578e
SHA1:cde0ffd6c374b70373ea045b09d5d2db8af9a322
SHA256:b24e8948d314d492f4e1ae9fd78e8fcb41ee5c9adfd6e9ab7927fca7c333003c
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["65.52.240.233"], "Port": "5555", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6af2:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x68f2:$cnc4: POST / HTTP/1.1
      00000000.00000002.4563249708.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe PID: 6708JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe.800000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe.800000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6af2:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-04T18:48:16.194805+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:48:23.860565+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:48:29.283098+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:48:42.361055+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:48:53.831813+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:48:55.457787+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:06.299873+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:06.736189+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:09.204046+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:10.659068+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:11.782791+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:22.221170+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:22.271454+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:22.315556+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:23.853563+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:24.368866+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:27.224225+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:27.466468+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:27.748758+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:38.063435+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:38.157417+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:43.142746+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:48.266789+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:48.371209+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:53.842178+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:01.364366+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:06.490034+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:06.599794+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:10.142189+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:10.236889+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:13.551844+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:20.079360+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:22.313702+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:23.836618+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:24.267557+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:31.752481+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:32.770480+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:34.239047+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:35.704476+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:44.554941+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:44.659107+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:45.735849+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:46.485626+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:48.188576+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:49.113083+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:49.908086+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:53.900645+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:54.738872+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:54.743370+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:00.441656+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:01.506802+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:10.423896+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:10.475679+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:18.083681+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:18.184304+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:20.173718+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:20.595441+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:20.691479+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:22.704659+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:23.834968+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:26.238960+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:27.112116+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:38.813931+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:46.127853+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:46.224828+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:53.834834+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:55.473416+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:56.487297+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:04.423705+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:17.505875+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:23.847341+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:24.208927+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:30.950570+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:30.950681+020028528701Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-04T18:48:16.292395+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:48:29.285102+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:48:42.363291+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:48:55.459824+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:06.302496+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:06.741165+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:09.206456+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:10.666920+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:11.784486+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:11.901485+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:11.906481+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:22.223592+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:22.288466+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:22.317525+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:22.389087+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:22.394144+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:24.373335+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:27.226173+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:27.444681+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:27.750458+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:27.837047+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:27.931778+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:27.937209+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:38.065364+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:38.158860+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:43.146737+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:48.277131+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:49:48.380104+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:01.366937+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:06.504165+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:06.602932+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:10.144213+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:10.238604+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:13.553752+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:20.082226+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:22.317334+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:24.269629+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:31.754369+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:32.774638+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:34.240753+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:35.708333+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:44.556698+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:44.661172+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:44.757541+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:45.737526+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:46.488878+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:48.190281+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:49.115816+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:49.909851+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:50:54.740771+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:00.446394+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:01.508645+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:10.431147+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:10.480730+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:10.528311+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:10.576489+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:18.086986+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:18.186062+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:20.175468+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:20.598862+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:20.694923+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:22.706039+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:26.241460+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:27.113837+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:38.815705+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:46.130047+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:46.226439+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:55.478012+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:56.489018+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:56.585884+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:51:56.596488+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:52:04.424406+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:52:17.506572+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            2024-10-04T18:52:30.952480+020028529231Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-04T18:48:23.860565+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:48:53.831813+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:23.853563+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:49:53.842178+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:23.836618+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:50:53.900645+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:23.834968+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:51:53.834834+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:23.847341+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            2024-10-04T18:52:24.208927+020028528741Malware Command and Control Activity Detected65.52.240.2335555192.168.2.649710TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-04T18:49:27.491826+020028531931Malware Command and Control Activity Detected192.168.2.64971065.52.240.2335555TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["65.52.240.233"], "Port": "5555", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for submitted file
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeString decryptor: 65.52.240.233
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeString decryptor: 5555
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeString decryptor: <123456789>
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeString decryptor: XWorm V5.6
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeString decryptor: USB.exe
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49710 -> 65.52.240.233:5555
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 65.52.240.233:5555 -> 192.168.2.6:49710
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49710 -> 65.52.240.233:5555
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 65.52.240.233:5555 -> 192.168.2.6:49710
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49710 -> 65.52.240.233:5555
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 65.52.240.233
            Source: global trafficTCP traffic: 192.168.2.6:49710 -> 65.52.240.233:5555
            Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: unknownTCP traffic detected without corresponding DNS query: 65.52.240.233
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, 00000000.00000002.4563249708.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD34786B220_2_00007FFD34786B22
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD34785D760_2_00007FFD34785D76
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD3478ACB80_2_00007FFD3478ACB8
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD347822700_2_00007FFD34782270
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD347822C80_2_00007FFD347822C8
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeBinary or memory string: OriginalFilenameXClient.exe4 vs 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\ufaRcrPtpogUcj6M
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD34787508 push ebx; iretd 0_2_00007FFD3478756A
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeCode function: 0_2_00007FFD34787558 push ebx; iretd 0_2_00007FFD3478756A
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMemory allocated: 1AAE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeWindow / User API: threadDelayed 9034Jump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeWindow / User API: threadDelayed 794Jump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe TID: 6404Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe TID: 3928Thread sleep count: 9034 > 30Jump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe TID: 3928Thread sleep count: 794 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, 00000000.00000002.4562764648.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, 00000000.00000002.4564937456.000000001B91C000.00000004.00000020.00020000.00000000.sdmp, 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, 00000000.00000002.4562764648.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe.800000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4563249708.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe PID: 6708, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe.800000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4563249708.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe PID: 6708, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory232
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS13
            System Information Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Backdoor.XWorm
            1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe100%AviraHEUR/AGEN.1305769
            1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            65.52.240.233true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, 00000000.00000002.4563249708.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              65.52.240.233
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1526100
              Start date and time:2024-10-04 18:47:06 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 43s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Sample name:1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@0/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 46
              • Number of non-executed functions: 2
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe, PID 6708 because it is empty
              • VT rate limit hit for: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              12:48:01API Interceptor16757547x Sleep call for process: 1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUS17280603672819f0df2cf8cead14d81e21241a4c34055121d703aa4e63f533daca4a845b70278.dat-decoded.exeGet hashmaliciousUnknownBrowse
              • 52.252.190.167
              http://foth.federal-docs.com/uAfwCGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://rs-stripe.hometalk.com/branding/?utm_source=contentstripe&ampGet hashmaliciousUnknownBrowse
              • 40.85.112.191
              https://epayindia.epayperformance.com/Login.aspx?AppraisalId=6871Get hashmaliciousPhisherBrowse
              • 20.114.50.7
              https://nassistenza-online.209-74-64-227.cprapid.com/Get hashmaliciousPhisherBrowse
              • 150.171.27.10
              172805100873dcf2097bda1ebce1dc29509a0d1c0ecef0168b8aa56fecb5a19c93ba543436853.dat-decoded.exeGet hashmaliciousUnknownBrowse
              • 13.107.253.67
              https://vestliaresort-my.sharepoint.com/:o:/g/personal/ziga_vestlia_no/Eky579E0q2lOhPOUshOGsHcBMaZdCfwRcrEzHT2ZmUZxNA?e=ksWeaaGet hashmaliciousUnknownBrowse
              • 52.108.9.12
              https://architekturgaleriegreven418-my.sharepoint.com/:f:/g/personal/s_mueller_ag-greven_de/EqHjHq0duZlPnK1b0Ad0gnQBDkq1USn2N3DBCaPZle5J1Q?e=5aU8JaGet hashmaliciousUnknownBrowse
              • 52.98.241.162
              ethaertharety.ps1Get hashmaliciousUnknownBrowse
              • 150.171.28.10
              Payment receipt 50%Invoicelp612117_CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.67

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.589792733440079
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe
              File size:33'280 bytes
              MD5:8835790c46351f49444f7a5e73d4578e
              SHA1:cde0ffd6c374b70373ea045b09d5d2db8af9a322
              SHA256:b24e8948d314d492f4e1ae9fd78e8fcb41ee5c9adfd6e9ab7927fca7c333003c
              SHA512:db0adeb1194209150b0bf295e6c1d0f588149865e8091ec7a272ed485face439e44257b23a2964497b032de51a2fc08aed490c8bc434ee9ec40654823bf200ca
              SSDEEP:384:HEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFOzFzRApkFTBLTsOZwpGd2v99Ikuisgr:UVa+vNtg+PB93Tw4OFzVFE9jpOjhkbB
              TLSH:AAE22A4877944712DAEEAFB129F362061670D517E813EFAE0CE485EA2B67AC047407E6
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................x..........n.... ........@.. ....................................@................................

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x40976e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66FBB0A4 [Tue Oct 1 08:19:48 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x971c0x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x4d8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x77740x78008fa1abac40551bd010458adeb29fa983False0.5010091145833333data5.740633672979045IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xa0000x4d80x600afbb984503128042cc38bf70e5e337f4False0.375data3.7203482473352403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xc0000xc0x2003ee5eb55d2c84cad34ece42377c6f250False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0xa0a00x244data0.4724137931034483
              RT_MANIFEST0xa2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-10-04T18:48:16.076270+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:48:16.194805+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:16.292395+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:48:23.860565+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:23.860565+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:29.283098+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:29.285102+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:48:42.361055+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:42.363291+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:48:53.831813+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:53.831813+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:55.457787+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:48:55.459824+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:06.299873+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:06.302496+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:06.736189+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:06.741165+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:09.204046+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:09.206456+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:10.659068+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:10.666920+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:11.782791+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:11.784486+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:11.901485+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:11.906481+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:22.221170+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:22.223592+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:22.271454+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:22.288466+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:22.315556+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:22.317525+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:22.389087+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:22.394144+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:23.853563+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:23.853563+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:24.368866+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:24.373335+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.224225+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:27.226173+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.444681+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.466468+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:27.491826+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.748758+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:27.750458+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.837047+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.931778+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:27.937209+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:38.063435+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:38.065364+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:38.157417+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:38.158860+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:43.142746+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:43.146737+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:48.266789+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:48.277131+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:48.371209+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:48.380104+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:49:53.842178+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:49:53.842178+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:01.364366+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:01.366937+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:06.490034+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:06.504165+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:06.599794+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:06.602932+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:10.142189+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:10.144213+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:10.236889+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:10.238604+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:13.551844+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:13.553752+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:20.079360+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:20.082226+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:22.313702+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:22.317334+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:23.836618+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:23.836618+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:24.267557+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:24.269629+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:31.752481+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:31.754369+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:32.770480+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:32.774638+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:34.239047+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:34.240753+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:35.704476+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:35.708333+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:44.554941+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:44.556698+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:44.659107+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:44.661172+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:44.757541+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:45.735849+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:45.737526+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:46.485626+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:46.488878+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:48.188576+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:48.190281+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:49.113083+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:49.115816+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:49.908086+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:49.909851+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:53.900645+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:53.900645+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:54.738872+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:50:54.740771+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:50:54.743370+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:00.441656+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:00.446394+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:01.506802+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:01.508645+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:10.423896+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:10.431147+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:10.475679+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:10.480730+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:10.528311+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:10.576489+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:18.083681+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:18.086986+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:18.184304+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:18.186062+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:20.173718+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:20.175468+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:20.595441+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:20.598862+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:20.691479+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:20.694923+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:22.704659+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:22.706039+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:23.834968+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:23.834968+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:26.238960+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:26.241460+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:27.112116+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:27.113837+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:38.813931+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:38.815705+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:46.127853+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:46.130047+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:46.224828+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:46.226439+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:53.834834+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:53.834834+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:55.473416+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:55.478012+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:56.487297+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:51:56.489018+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:56.585884+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:51:56.596488+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:52:04.423705+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:04.424406+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:52:17.505875+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:17.506572+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP
              2024-10-04T18:52:23.847341+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:23.847341+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:24.208927+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:24.208927+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:30.950570+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:30.950681+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes165.52.240.2335555192.168.2.649710TCP
              2024-10-04T18:52:30.952480+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971065.52.240.2335555TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 4, 2024 18:48:02.803628922 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:02.808543921 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:02.808682919 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:02.991849899 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:02.996917963 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:16.076270103 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:16.081166983 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:16.194804907 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:16.241405964 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:16.292395115 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:16.297245979 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:23.860564947 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:23.913301945 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:29.164279938 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:29.169585943 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:29.283097982 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:29.285101891 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:29.290110111 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:42.241832018 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:42.246998072 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:42.361054897 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:42.363291025 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:42.368220091 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:53.831813097 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:53.882137060 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:55.320000887 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:55.324942112 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:55.457787037 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:48:55.459824085 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:48:55.464770079 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:06.179722071 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:06.184928894 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:06.299873114 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:06.302495956 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:06.307643890 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:06.616878986 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:06.621948004 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:06.736188889 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:06.741164923 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:06.746020079 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:09.085704088 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:09.090639114 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:09.204046011 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:09.206455946 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:09.211484909 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:10.539304018 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:10.544498920 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:10.659068108 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:10.666919947 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:10.671749115 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.663985014 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:11.668931961 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.679224014 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:11.684123993 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.710587025 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:11.715447903 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.782790899 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.784486055 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:11.789537907 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.899817944 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.901484966 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:11.906433105 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:11.906481028 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:11.911313057 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.101741076 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.106643915 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.148293018 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.153209925 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.163743019 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.168766975 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.179337978 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.184149981 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.194912910 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.200653076 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.221169949 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.223592043 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.271454096 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.288465977 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.315556049 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.317524910 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.367280006 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.380491018 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.389086962 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.394046068 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:22.394144058 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:22.399255037 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:23.853563070 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:23.897809982 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:24.242043972 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:24.247047901 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:24.368865967 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:24.373334885 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:24.378169060 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:26.992096901 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:26.996989965 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.224225044 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.226172924 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.444680929 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.466468096 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.466520071 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.468189955 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.468240023 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.468647957 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.473021030 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.491826057 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.496747971 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.523001909 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.527838945 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.570085049 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.574927092 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.648225069 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.653363943 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.663849115 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.668776989 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.679352045 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.684176922 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.748758078 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.750458002 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.755292892 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.835598946 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.837047100 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.841995955 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.842035055 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.846975088 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.928796053 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.931777954 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.937167883 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:27.937208891 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:27.942332983 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:37.945177078 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:37.950042009 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:37.960606098 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:37.965531111 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:38.063435078 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:38.065363884 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:38.070185900 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:38.157417059 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:38.158859968 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:38.163971901 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:43.023631096 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:43.029071093 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:43.142745972 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:43.146737099 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:43.151572943 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:48.148185015 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:48.153112888 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:48.163928986 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:48.168700933 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:48.266788960 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:48.277131081 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:48.282016993 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:48.371208906 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:48.380104065 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:49:48.385186911 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:53.842178106 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:49:53.882253885 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:01.244201899 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:01.251012087 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:01.364366055 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:01.366936922 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:01.371815920 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:06.371560097 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:06.376692057 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:06.416157961 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:06.421097040 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:06.490034103 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:06.504164934 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:06.509279966 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:06.599793911 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:06.602931976 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:06.607877970 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:09.101265907 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:09.324394941 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:09.710422039 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:10.028672934 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.028695107 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.028707027 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.028728008 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:10.033869028 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.142189026 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.144212961 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:10.149240017 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.236888885 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:10.238604069 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:10.243400097 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:13.276344061 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:13.436034918 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:13.551843882 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:13.553751945 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:13.559051037 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:19.960840940 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:19.965960026 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:20.079360008 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:20.082226038 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:20.087496996 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:22.195163965 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:22.200109005 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:22.313702106 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:22.317333937 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:22.322293043 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:23.836617947 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:23.908951998 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:24.148516893 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:24.153733015 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:24.267556906 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:24.269629002 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:24.274812937 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:31.632570028 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:31.637603998 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:31.752480984 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:31.754369020 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:31.759268045 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:32.445256948 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:32.654568911 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:32.770479918 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:32.774637938 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:32.779637098 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:34.054527044 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:34.124789953 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:34.239047050 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:34.240752935 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:34.245831013 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:35.586098909 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:35.591254950 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:35.704476118 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:35.708333015 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:35.713228941 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.148406029 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:44.441961050 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.444315910 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:44.449315071 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.554940939 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.556698084 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:44.561743975 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.659106970 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.661171913 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:44.666508913 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.756169081 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.757540941 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:44.762397051 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:44.762579918 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:44.768068075 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:45.616961002 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:45.622266054 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:45.735848904 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:45.737525940 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:45.742481947 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:46.367197990 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:46.372432947 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:46.485625982 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:46.488878012 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:46.493835926 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:48.070115089 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:48.075114012 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:48.188575983 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:48.190280914 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:48.195297956 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:48.994693995 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:48.999762058 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:49.113082886 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:49.115816116 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:49.120687962 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:49.788996935 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:49.794152975 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:49.908086061 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:49.909851074 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:49.915273905 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:53.900645018 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:53.955523968 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:54.398459911 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:54.403568983 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:54.738872051 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:54.740771055 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:54.743370056 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:54.745726109 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:50:54.745846033 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:50:59.976768017 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:00.197906017 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:00.323863983 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:00.323889017 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:00.441656113 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:00.446393967 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:00.451173067 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:01.388353109 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:01.393443108 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:01.506802082 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:01.508645058 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:01.514147997 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.304930925 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.310269117 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.335930109 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.341001034 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.351573944 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.356674910 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.382771969 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.388077974 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.423896074 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.431147099 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.475678921 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.480730057 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.524195910 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.528311014 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.575697899 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:10.576488972 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:10.581409931 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:16.946487904 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:17.179405928 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:17.492032051 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:17.970509052 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:17.970539093 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:17.970566034 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:18.083681107 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:18.086986065 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:18.092695951 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:18.184303999 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:18.186062098 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:18.191154003 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.054635048 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:20.059974909 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.173717976 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.175467968 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:20.180623055 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.476406097 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:20.481633902 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.540337086 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:20.545541048 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.595441103 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.598861933 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:20.603936911 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.691478968 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:20.694922924 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:20.700892925 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:22.585856915 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:22.591171026 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:22.704658985 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:22.706038952 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:22.711469889 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:23.834968090 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:23.882460117 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:26.117264986 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:26.122240067 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:26.238960028 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:26.241460085 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:26.246555090 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:26.992604017 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:26.997684956 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:27.112116098 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:27.113837004 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:27.118834019 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:38.695410967 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:38.700495005 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:38.813930988 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:38.815705061 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:38.820667028 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:46.008132935 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:46.013290882 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:46.039074898 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:46.044091940 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:46.127852917 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:46.130047083 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:46.136802912 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:46.224828005 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:46.226438999 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:46.231379032 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:53.834834099 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:53.882539034 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:55.352546930 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:55.357774973 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:55.473416090 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:55.478012085 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:55.486061096 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.367414951 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:56.372818947 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.414107084 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:56.419575930 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.429886103 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:56.434947014 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.487297058 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.489017963 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:56.494265079 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.581641912 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.585884094 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:56.595941067 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:51:56.596487999 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:51:56.602937937 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:04.304682016 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:04.309801102 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:04.423705101 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:04.424406052 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:04.429341078 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:17.387404919 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:17.392468929 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:17.505875111 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:17.506572008 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:17.511468887 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:23.847341061 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:23.898269892 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:24.208926916 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:24.208981991 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:30.463524103 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:30.468555927 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:30.950570107 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:30.950680971 CEST55554971065.52.240.233192.168.2.6
              Oct 4, 2024 18:52:30.950795889 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:30.952480078 CEST497105555192.168.2.665.52.240.233
              Oct 4, 2024 18:52:30.960103989 CEST55554971065.52.240.233192.168.2.6

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:12:47:58
              Start date:04/10/2024
              Path:C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832ef6b761.dat-decoded.exe"
              Imagebase:0x800000
              File size:33'280 bytes
              MD5 hash:8835790C46351F49444F7A5E73D4578E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2114943927.0000000000802000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4563249708.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Executed Functions

                Function 00007FFD34782270 Relevance: 3.6, Strings: 2, Instructions: 1147COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID: $H
                • API String ID: 0-1323546614
                • Opcode ID: 2abfde8f6327ff9ee38c17b59496e6a50efbe7ed64a1dced8c93d0f2dfd5be37
                • Instruction ID: d6b50013312da3fba0edd857cda5aefe149a33346d6def0485b0cd32b76fecea
                • Opcode Fuzzy Hash: 2abfde8f6327ff9ee38c17b59496e6a50efbe7ed64a1dced8c93d0f2dfd5be37
                • Instruction Fuzzy Hash: 2A827370B1C91A8BEB98FB6884A66B973D2FF99311F504578D11ED32C2DD2CF8429781
                Function 00007FFD34785D76 Relevance: .5, Instructions: 469COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7c80cba2834ca3fe26f2f605c37d18cedab264c68c5d558a46330150ab49ecb
                • Instruction ID: d0d9c61cd34a9b33b794078d63af78d1d93d343d0ee0d8b05b43ad7154e559ad
                • Opcode Fuzzy Hash: f7c80cba2834ca3fe26f2f605c37d18cedab264c68c5d558a46330150ab49ecb
                • Instruction Fuzzy Hash: 78F19670A08A4E8FEBA8DF28C8567E937D1FF55311F04426EE84DC7291DB78A9458B81
                Function 00007FFD34786B22 Relevance: .5, Instructions: 455COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c580c171a066b1f079ad04a1bfe460e731cce3b57e4ee4ec92335c4ffb152990
                • Instruction ID: 199c5698a083051bd033becc6e51adf4efa89e11872252a0a8d2144ff1d06c01
                • Opcode Fuzzy Hash: c580c171a066b1f079ad04a1bfe460e731cce3b57e4ee4ec92335c4ffb152990
                • Instruction Fuzzy Hash: D5E1A370A08A4E8FEBA8DF28C8667E977D1FB55311F04426ED84DC72A1DF78A94487C1
                Function 00007FFD34781D05 Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID: {
                • API String ID: 0-366298937
                • Opcode ID: f77f30e8dc1354342ac7fe03768173d019d73617a74cc8e8b31a9ebc1ee9ebb0
                • Instruction ID: a3067fdb9e9893c64fdf4897449a17bce1842044d8bdec78770c6348b53cb021
                • Opcode Fuzzy Hash: f77f30e8dc1354342ac7fe03768173d019d73617a74cc8e8b31a9ebc1ee9ebb0
                • Instruction Fuzzy Hash: 9CE109B2B0D98A4FE7A5977844762B97BD1FF96311F4801BAD189C72D3DD1CAC068381
                Function 00007FFD34788F6A Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID: xg4
                • API String ID: 0-2058694987
                • Opcode ID: 46a2ce96cc5e8c3233ef86c28e88e754a6dae44fafd36bc74bc380212e598f1f
                • Instruction ID: 71cb31ca719ddc2f3788f37040b75125caef17b72f68461acb7f2593d66c9253
                • Opcode Fuzzy Hash: 46a2ce96cc5e8c3233ef86c28e88e754a6dae44fafd36bc74bc380212e598f1f
                • Instruction Fuzzy Hash: AB5106B1A0CA4DCFD754DF68D8666B97BE0EF56311F04427ED04DC7292DB28A846CB81
                Function 00007FFD34787CE1 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID: d
                • API String ID: 0-2564639436
                • Opcode ID: f8fcfdc0eb202a083b159476ed7665127b3056ea3664c3ed010802535c7b04f2
                • Instruction ID: 50932c38a01171acb5dcccf0a85f1ad6d8b26c033982b3bf80b4491d0d9c6590
                • Opcode Fuzzy Hash: f8fcfdc0eb202a083b159476ed7665127b3056ea3664c3ed010802535c7b04f2
                • Instruction Fuzzy Hash: 3F21D471D0C26A8FEB449BA48C966F9BBE0EF46311F0501BBD64AD7192DB3C644187E1
                Function 00007FFD34780758 Relevance: .4, Instructions: 397COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e552f00d1ca4f21ec640ecf39ac214b22a2cd519380565e5309e0ad010409005
                • Instruction ID: 4c2318dbc60b06e99d55e2c19bc2fa3c2cd37b15d94aa64a69f954211f21d855
                • Opcode Fuzzy Hash: e552f00d1ca4f21ec640ecf39ac214b22a2cd519380565e5309e0ad010409005
                • Instruction Fuzzy Hash: 04D1E5F1B1891DCFD7A4EB2C94A566477D2FF99311B4005B9E04EC7292EE28FC028B81
                Function 00007FFD34786736 Relevance: .3, Instructions: 328COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb2bbc750f012a245bafd332aac50254ae2320acc4489bf54ad9bcc09f9f4de3
                • Instruction ID: 8861e844591b3fe7b89fd88b1aaff236d1f86e7fb64ed86f35a7f5ccf4b9b595
                • Opcode Fuzzy Hash: eb2bbc750f012a245bafd332aac50254ae2320acc4489bf54ad9bcc09f9f4de3
                • Instruction Fuzzy Hash: E8B1D870608A4D8FDBA9DF28D8567E93BD1FF55311F04426EE84DC7291CE38A945CB82
                Function 00007FFD3478262D Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3000893bf5df7993895e57b15c310f56f4a2be0f1bcbf12ac77e1774de60396d
                • Instruction ID: 73cd10a8959038fbc0b9ef63c28cb03732863c02c907ee0a849944b6e71c930f
                • Opcode Fuzzy Hash: 3000893bf5df7993895e57b15c310f56f4a2be0f1bcbf12ac77e1774de60396d
                • Instruction Fuzzy Hash: 6391716071CD1A9BEB94B7AC946677EB3D6EF99301F500575E00DC32D2DD28F8428792
                Function 00007FFD34788439 Relevance: .3, Instructions: 257COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 063d7555d36ea40b4af3271081818cbb02a48e40dc2e916a614ca1922feb6b6d
                • Instruction ID: 09fa7d7fe3c4fb46a722f43590d9d4177910f3b71ba8344ebbd3156abd7292a6
                • Opcode Fuzzy Hash: 063d7555d36ea40b4af3271081818cbb02a48e40dc2e916a614ca1922feb6b6d
                • Instruction Fuzzy Hash: 468128B1F0DA4A8FE795EB7884A62B57BD0EF56311F4502BAD04DC7192DE2CB84683C1
                Function 00007FFD34780925 Relevance: .2, Instructions: 213COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aa9c9242e13aa7c72a2f3a2adbccbed09bff8b3d5429105cffcea7bde87243c0
                • Instruction ID: f931e8b4c9167004d4cdd30d5dacf2ade12a44081868932ee7db5b51ce2dbd28
                • Opcode Fuzzy Hash: aa9c9242e13aa7c72a2f3a2adbccbed09bff8b3d5429105cffcea7bde87243c0
                • Instruction Fuzzy Hash: 1351C671B59A8E4FD798AB7C54791BD7BD5FF89211B8005B9D14EC31D3ED2CA8028381
                Function 00007FFD34787DCD Relevance: .2, Instructions: 208COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b31caa72962f5657334dcdace44352355e9cc58ddf0b723dfa65504a2d8d406b
                • Instruction ID: 6f718d8813dd4dd10c876388ca342a7e1675635572c3e5fa6fd8bd74225cb0b1
                • Opcode Fuzzy Hash: b31caa72962f5657334dcdace44352355e9cc58ddf0b723dfa65504a2d8d406b
                • Instruction Fuzzy Hash: F2519330A18A1D8FDB98EF68D8957EDBBF1FF59311F10426AD44DD3252CA74A842CB81
                Function 00007FFD347886F1 Relevance: .2, Instructions: 200COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed4f64a5fb2cf46a12a085b921af7dd938fc40f5a377e7f02e7a85941fc9172e
                • Instruction ID: d49ecbbee84d8a772e8d81007114ef13b97c24e06f5b22eff98fe1e21f59af10
                • Opcode Fuzzy Hash: ed4f64a5fb2cf46a12a085b921af7dd938fc40f5a377e7f02e7a85941fc9172e
                • Instruction Fuzzy Hash: 6251A370B1891DCFEB94EB68D8A66B877F1FF99301F0501B9D00DD3292CE28B8428781
                Function 00007FFD34781738 Relevance: .2, Instructions: 196COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 08142dbcdaed7cdeb503dcc607648cf03a59a34ceb92e3a7fcff57182d037435
                • Instruction ID: 0bc52995529d1b0bc205e2afd2f2e973a412dcf47926553a76b2d6a27f78827a
                • Opcode Fuzzy Hash: 08142dbcdaed7cdeb503dcc607648cf03a59a34ceb92e3a7fcff57182d037435
                • Instruction Fuzzy Hash: 4461E430E0D68A8FEB86D77484626A97BA1EF17311F1802A9D059C71D3DE2CB842C791
                Function 00007FFD3478366C Relevance: .2, Instructions: 191COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eed9c136f8b894b55a534c4a9bf39c40149c4ca444d570871ae6e8b35707e13c
                • Instruction ID: 1a5f9dd09ce77ea4d9a7203d71a086db6973c62eadc7f03a61001f8d2b4bef8d
                • Opcode Fuzzy Hash: eed9c136f8b894b55a534c4a9bf39c40149c4ca444d570871ae6e8b35707e13c
                • Instruction Fuzzy Hash: 2A517470918A1C8FDBA4DF58D855BE9BBF1FB59310F0082AAD00DE3252DE34A9858FC1
                Function 00007FFD34787594 Relevance: .2, Instructions: 189COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6cb46b02f425ef4104f38b87a666d5a251dddc868b5451b7e5f5e900f00dc07
                • Instruction ID: 9e81b67da2413ee51459fa80400dafddfbf84f8a974f346d296e7d1cf48c3090
                • Opcode Fuzzy Hash: d6cb46b02f425ef4104f38b87a666d5a251dddc868b5451b7e5f5e900f00dc07
                • Instruction Fuzzy Hash: DE11D667B1DE994FE792A62C58661FD7BB0EF97221B0902F7C189C3193ED18680683D1
                Function 00007FFD3478897D Relevance: .2, Instructions: 186COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28ba82454676b78d926499a4e9f9349617474fd91734f544bf4c9908528e873a
                • Instruction ID: 4b6418411b04481b5a74601161f25ed36af189940b01b118b1d9a0d2cff1a827
                • Opcode Fuzzy Hash: 28ba82454676b78d926499a4e9f9349617474fd91734f544bf4c9908528e873a
                • Instruction Fuzzy Hash: E3514071B186488FDB94E778D8A5AF977E1EF89311F05017AE00DD72A2DD2CAC42C741
                Function 00007FFD34787598 Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5656fee216efaebc8a8f3e8190a37da7290c9b42cbebb5bfff7662042a9f96a
                • Instruction ID: b351109d6c3bb6a56b772852bb747d77f267745c8c70617afa2d90242d3ac214
                • Opcode Fuzzy Hash: e5656fee216efaebc8a8f3e8190a37da7290c9b42cbebb5bfff7662042a9f96a
                • Instruction Fuzzy Hash: AF11E662B0CA994FE792A72C58661FD7BB0EF97221B0902F7D189C3193ED18680683D1
                Function 00007FFD347805A0 Relevance: .2, Instructions: 179COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51477c8bb2dc47ea5b7ec38e93c223813d60f737f40b2f440c120cc1ad7e8aae
                • Instruction ID: 34e3dc09fb5ef0e8ea00b15cb143a99b5704b2aaf429567d39f6175613aa76f9
                • Opcode Fuzzy Hash: 51477c8bb2dc47ea5b7ec38e93c223813d60f737f40b2f440c120cc1ad7e8aae
                • Instruction Fuzzy Hash: 27414871B1CA5A4FE7A4B63C88A767977C6EF86311B0444B9E84EC3293DD1CBC428381
                Function 00007FFD347875A8 Relevance: .2, Instructions: 176COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac15dbbb631c2fb1bbac403fcc5170df7fa6d2cf080b349a3df41b90739639ea
                • Instruction ID: 068cdbd2a3fd03501775480bcc7234ace2bb7821a081052dee4a24e2ce7ac092
                • Opcode Fuzzy Hash: ac15dbbb631c2fb1bbac403fcc5170df7fa6d2cf080b349a3df41b90739639ea
                • Instruction Fuzzy Hash: B811C662A1CA994FD792E76C58661BD7BB0EF57220B0901E7D149D31E3ED18680683D2
                Function 00007FFD34781495 Relevance: .2, Instructions: 157COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d399d3e60512db9e90f91f65b3ed05d236bbc6c11d39fe096b5e5c5a4f21ae78
                • Instruction ID: 7f9b983fb72f86c9468ad7f16b548f12ff9edbc1408123e42fa4738e044e7764
                • Opcode Fuzzy Hash: d399d3e60512db9e90f91f65b3ed05d236bbc6c11d39fe096b5e5c5a4f21ae78
                • Instruction Fuzzy Hash: 7341A1B4A08A1CCFDB98EF58D4A9BB977E1FB55311F00016EE14AD3291DB35E842CB41
                Function 00007FFD34780B5E Relevance: .2, Instructions: 157COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45557b7a15ec94611dda30090d7e46fc4134ab649a359edc0f8436a42034548f
                • Instruction ID: 091c2fe84c89e43f0ce8d8c93ca2f0d9f55e9d1738ee2da36e0b1438a01bd7eb
                • Opcode Fuzzy Hash: 45557b7a15ec94611dda30090d7e46fc4134ab649a359edc0f8436a42034548f
                • Instruction Fuzzy Hash: 6141F52170DA890FE795AB6C986A778BBD2DF8A215F0901FFE44DC72E3CD589C068341
                Function 00007FFD347889D0 Relevance: .2, Instructions: 153COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02d55236320913a2d0f6c5de98dd9fd8bba99cf25c9a7bdd810a50c9293a0a69
                • Instruction ID: f535049dbf75273d1503d02a3ea289219f56bcaee906c77a589224bfdbbe923c
                • Opcode Fuzzy Hash: 02d55236320913a2d0f6c5de98dd9fd8bba99cf25c9a7bdd810a50c9293a0a69
                • Instruction Fuzzy Hash: A4418671B1891C8FDB94EB6CD4A9ABDB7E2FF99311F150179E40ED3292DE28AC418740
                Function 00007FFD34788131 Relevance: .1, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3376ba46612b3df198197100d2448bb7aae1e682e52b47b72929927959d2c710
                • Instruction ID: 74b3bca9ee51875f9fabdab21519c1c9af2459f09feb2605b99b385652f8d0f9
                • Opcode Fuzzy Hash: 3376ba46612b3df198197100d2448bb7aae1e682e52b47b72929927959d2c710
                • Instruction Fuzzy Hash: 5841B571B089198FDB94EB68C4A96BD77F1EF59311B4405BAD40DD32A2DF3CA8428750
                Function 00007FFD347804C8 Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a784c1c6d2a64f8cdc3b110d785f4f856fd6f3e3b02ce59811e8b424133543a
                • Instruction ID: 6007b78fa3c45dcea301c4ca48706a2bc3e1315696ad1b64abe94894e4ec86b1
                • Opcode Fuzzy Hash: 2a784c1c6d2a64f8cdc3b110d785f4f856fd6f3e3b02ce59811e8b424133543a
                • Instruction Fuzzy Hash: AF31DB31718A494FE798EB6C986A779B6C2EFD9316F0505BEE44EC32D3DD68AC018340
                Function 00007FFD34780E11 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1915b5b8d965f47b0889f81674b4959f8ed9a9d09e2f454873427c63e451da1f
                • Instruction ID: 0cb865ea7a19a336cbc298f3bb3a91cd3ac8be7a9f794810646914718ee6ed72
                • Opcode Fuzzy Hash: 1915b5b8d965f47b0889f81674b4959f8ed9a9d09e2f454873427c63e451da1f
                • Instruction Fuzzy Hash: 8E31C561B18E5A5FEB90B7BC986A3BDB6D6EF99351F040276E40DC3293DD2CA8014391
                Function 00007FFD347882F5 Relevance: .1, Instructions: 126COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d91f74953c972e7004084f6c195736d655dce9070300c3a35a78c409be316099
                • Instruction ID: 23372d5af8c8072ed6c7273d28730fd14ed2e86691cb8794b609a12d433f8b3f
                • Opcode Fuzzy Hash: d91f74953c972e7004084f6c195736d655dce9070300c3a35a78c409be316099
                • Instruction Fuzzy Hash: DB411472A09A868FE3819B649CA65F97BF1EF42320B4501FBD05AD75D3DE1C78468382
                Function 00007FFD34780CC1 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7f6a91742ef52ff0f9e274fe73fe8f5b8329c3d086f7077ec8ae3a70c6fad63
                • Instruction ID: 23a366faeb3c9f364c8552eb0554b83eff9f0d35d0ace1a3f1feeadd4d34732d
                • Opcode Fuzzy Hash: f7f6a91742ef52ff0f9e274fe73fe8f5b8329c3d086f7077ec8ae3a70c6fad63
                • Instruction Fuzzy Hash: 1041D670B18A4E8FEB91EBB898756FD7BB1FF89301F500479D049D3282DD38A8028750
                Function 00007FFD34780E30 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88840889a197180d60095f14307ec474182cb1380173703d824d1129629311cd
                • Instruction ID: 4055f643633fa731bc1688b77efe3cee4395695ae1bf49edae9cebf2eb9bac17
                • Opcode Fuzzy Hash: 88840889a197180d60095f14307ec474182cb1380173703d824d1129629311cd
                • Instruction Fuzzy Hash: 2831FC61B18E1A4BFB90B7FC586A3BDB6D6FF99752F000276E00DD3292DD28AC014391
                Function 00007FFD34789335 Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9904167dacf5e93fce3b014e7803799cda66e74b9fcf0fd0d3fe17e11cd9bc25
                • Instruction ID: 9c9bb32932fbd676ce91bf23574b8387bca761b293b08568b8c5fcfd3875b700
                • Opcode Fuzzy Hash: 9904167dacf5e93fce3b014e7803799cda66e74b9fcf0fd0d3fe17e11cd9bc25
                • Instruction Fuzzy Hash: DD31B33050C7488FCB55DFA8D889AEABBF0FF56310F0482AFD049C7552D764A405CB51
                Function 00007FFD34787FF9 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd8c28f25c926a750eb8e442292d3f2806021bcae53726245eeb3471161aabc1
                • Instruction ID: 01301d4d20b7b53aff079356a20bc78e645ee5bc2929ba9457658a69f94ad334
                • Opcode Fuzzy Hash: dd8c28f25c926a750eb8e442292d3f2806021bcae53726245eeb3471161aabc1
                • Instruction Fuzzy Hash: 3831E77060DA9ACFD796EB3CC8926B977E1FF16311B4505E6D049C7292DA38F842C781
                Function 00007FFD34788B31 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e7df9dbf645065004ae70eda702a8a5c76f466c336790c915995de1fd4ef8c4
                • Instruction ID: 9decc12fa8f14b0d3a38cb09235a9ae914acbe72d509b70edb1b8252ce3492be
                • Opcode Fuzzy Hash: 2e7df9dbf645065004ae70eda702a8a5c76f466c336790c915995de1fd4ef8c4
                • Instruction Fuzzy Hash: 313108B1B099598FDB989F1894E66BDBBE1EFD5311F05027ED50EE3291CE3978008781
                Function 00007FFD34789141 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cae8a5c1678419b1cc61fd80ae825741446ab75367861e542f371d3cc390d3cb
                • Instruction ID: 02550e0a2722dff57426c66f4716311dd56cd5a65a67588339e8dfa1e4f3bf4b
                • Opcode Fuzzy Hash: cae8a5c1678419b1cc61fd80ae825741446ab75367861e542f371d3cc390d3cb
                • Instruction Fuzzy Hash: 3421D5A0B1CD5A9BE791B3AC58767B9B7D5EF56300F5401B5E14CC32C3DD2CA8118792
                Function 00007FFD34789259 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8ceb5c5b39f1b2590074d74f7940a29c733aba95b583c2e01e1fbdb956565d6c
                • Instruction ID: 8b3eb423e58a0b5b70d8f910835ab7f783670fca988fb2a53ba6f43b98ab6359
                • Opcode Fuzzy Hash: 8ceb5c5b39f1b2590074d74f7940a29c733aba95b583c2e01e1fbdb956565d6c
                • Instruction Fuzzy Hash: 30112970B4C59A4FD786976848666FA3BD1EF87211F0441B6D58EC7193DD1CA80287C1
                Function 00007FFD347812C1 Relevance: .1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40d6bcafd1217e6969eedd19d5e127470c0fe53547bbf9e79a2d3b0b7f85ebeb
                • Instruction ID: ee00a17bf78eef88787b6f5d8cf1504b14d049d08353354d839e9f7e72683bd5
                • Opcode Fuzzy Hash: 40d6bcafd1217e6969eedd19d5e127470c0fe53547bbf9e79a2d3b0b7f85ebeb
                • Instruction Fuzzy Hash: DD11E7B5F0D6828BF3A6637849B35B93BA1AF93311F4900B5E548CB4C3DD1C785A9391
                Function 00007FFD34789B72 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4d49c4171ac1dc6c791a5532edb43311e0d57d46929dd2e85c3233a880bcb716
                • Instruction ID: 96fdbb3b62578d72631ba54a1a0312f1b27603d6e6296ed944b74c872ad220a2
                • Opcode Fuzzy Hash: 4d49c4171ac1dc6c791a5532edb43311e0d57d46929dd2e85c3233a880bcb716
                • Instruction Fuzzy Hash: 37110CF5A4E6C58FDB92523458670D97FA0EF43221B0405FBD199CB093E90D241AD7C2
                Function 00007FFD34780580 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1cfd07eae195d7d9a161474352a986fd5a147b9432f461b899941eb6c2185a0c
                • Instruction ID: 1fca281bd7a8772db8a5ec01e6f9eeed23dbce7461c82b33d60d944b64b8e24e
                • Opcode Fuzzy Hash: 1cfd07eae195d7d9a161474352a986fd5a147b9432f461b899941eb6c2185a0c
                • Instruction Fuzzy Hash: C501C8B0F1C91E8BEB98A62C44A65F973D2FB99312F004235D54EC3281DD28B80257C1
                Function 00007FFD3478137D Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cba5cfbbd2904efda84aef620afd1c453de14243aaf7e4425f57d33e85befbb0
                • Instruction ID: 2290f5654cc7b058a442266ff9212ce1c74a5a1b53dbc9359faf86e5d053a0d3
                • Opcode Fuzzy Hash: cba5cfbbd2904efda84aef620afd1c453de14243aaf7e4425f57d33e85befbb0
                • Instruction Fuzzy Hash: 0B112BB190868D8FD788DF2894692B93BE1EF56201F4441BFC58DD3962FF3864028340
                Function 00007FFD34787C21 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1dddb233a158ee43fa9555a70aecb06a5af361d4cab7478b035af2ddbce461c1
                • Instruction ID: bcd91c619f9fba17d9abc8979d699b32048a48b1fb03ff0cf543722432146aaf
                • Opcode Fuzzy Hash: 1dddb233a158ee43fa9555a70aecb06a5af361d4cab7478b035af2ddbce461c1
                • Instruction Fuzzy Hash: 6E012B71E0868D4FD741ABA484291FE3BF0FF15311F4101B7C048C71A3EB3954408781
                Function 00007FFD3478141D Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f6dc2964212e2ffd987ef731a0b7187384ca96306047810563770b5dfd74a8a7
                • Instruction ID: 1c746562174459029f20b72493eebee376a4de714e7c9e737588d5db73979f1f
                • Opcode Fuzzy Hash: f6dc2964212e2ffd987ef731a0b7187384ca96306047810563770b5dfd74a8a7
                • Instruction Fuzzy Hash: DB01D161F0E7968FFBA5ABB804B62783A91EF56301F9904B9D14EC61C3DD5CBC428381
                Function 00007FFD34781328 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e557309209f01e883970ceefe6ea06523ee2bf1d1f56eda46cd18f1bd7af8e38
                • Instruction ID: 216db11c86696d05c7a4aa94755bf906f24647eb81c4a7938b2b0eb202a62591
                • Opcode Fuzzy Hash: e557309209f01e883970ceefe6ea06523ee2bf1d1f56eda46cd18f1bd7af8e38
                • Instruction Fuzzy Hash: DBF0D1B0F0C142CBE3A5DB6884A25B833A1EF93312F040634D15DC3AD2DE2CB85297C0
                Function 00007FFD34781141 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4dffd84bc01a63591d6e09fab2e81a8a33003f2c5da93c2344e9a50cb9e5b3b1
                • Instruction ID: 1f93920f90fded523faf527201441de82211d68257a8a684b83b45c6e1a1ada9
                • Opcode Fuzzy Hash: 4dffd84bc01a63591d6e09fab2e81a8a33003f2c5da93c2344e9a50cb9e5b3b1
                • Instruction Fuzzy Hash: 75E0C27286838C8FD7425B6058221EA7B24EF52208F4505CBF408C7052E624A6188382
                Function 00007FFD34781284 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3ad8cecd164398c89b03c8144bc4e691514f8bc432125699cfe0cab26577ae26
                • Instruction ID: 2f1675d18582cb2029108c034bdf424d7261f130f9714d80839d61bd9f5660d0
                • Opcode Fuzzy Hash: 3ad8cecd164398c89b03c8144bc4e691514f8bc432125699cfe0cab26577ae26
                • Instruction Fuzzy Hash: 4FD0C250C5D2C24AE70B23781CA38907F508E031A4F4902D1E454C70D3D84D249A52B2
                Function 00007FFD347880F2 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 385423396b701835064902e685cfef8e311eded0c915557df1a247210c5dc8e2
                • Instruction ID: 5bc9e6935701bee512a02e79a91f2d7b6ffb77ecf8ee1d0cb1a4b3cf3bb5de43
                • Opcode Fuzzy Hash: 385423396b701835064902e685cfef8e311eded0c915557df1a247210c5dc8e2
                • Instruction Fuzzy Hash: 62E04675448A1C9FCF44FF6898845A93BAAFA18364B00066BE81EC3240E735DA758F81
                Function 00007FFD34789C25 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9fabc5a56076826d02fd89c60ba31c129f7419e4cbdcf04ef981e44218cce232
                • Instruction ID: 996a03eceab9a8d4f8cacef95755c0e09f8d5d9ee1dbf1ad27939e37968fee12
                • Opcode Fuzzy Hash: 9fabc5a56076826d02fd89c60ba31c129f7419e4cbdcf04ef981e44218cce232
                • Instruction Fuzzy Hash: 3EE0C2B581D3C94FDB436B3489111EA7FB0AB13200F8A09D7D498C6063EA2C522DC382
                Function 00007FFD34780795 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
                • Instruction ID: dece567f52dfcb16dfb1c1c485fbd18475b7eaf63978457702cf9274d2d24ebe
                • Opcode Fuzzy Hash: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
                • Instruction Fuzzy Hash: 77B09290F7E48684984832B909A70A8BB609B8B125FD504B0D58980082984D24A666C2

                Non-executed Functions

                Function 00007FFD347822C8 Relevance: .3, Instructions: 276COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fac7f533094594c87eb19635f4d99a77509470137552ba62feddb162c665d0d2
                • Instruction ID: a9c74380861938c29c71e5c77152e72e387b34a25aff818fa3c03630cb3e1196
                • Opcode Fuzzy Hash: fac7f533094594c87eb19635f4d99a77509470137552ba62feddb162c665d0d2
                • Instruction Fuzzy Hash: 718131A7B0D7E25FE653566C6CB70E53F90DF5326770940F7C688CA093A90D680A93E2
                Function 00007FFD3478ACB8 Relevance: .2, Instructions: 229COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4565728593.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd34780000_1728060366c73c2b51b3cccf4f90f5b82277982346f63fadf74c16a31e498f81a01832.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 398124f07e79ab93bc870ee176f638fee9585238df370e46a47438c029afd94b
                • Instruction ID: 8da3a9292d619c2c8d0b69a4c67a7c7ada25a2d39579818a7109e519e4e0be0b
                • Opcode Fuzzy Hash: 398124f07e79ab93bc870ee176f638fee9585238df370e46a47438c029afd94b
                • Instruction Fuzzy Hash: 3A71CB3064F7C58FE34393389869AA57F91EF83326F0D41FAE489CA4A3DAD95406C752