Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ehxF3rusxJ.exe

Overview

General Information

Sample name:ehxF3rusxJ.exe
renamed because original name is a hash value
Original sample name:75096dda61a68ec57361d1d25972a28b7fce9c676490ec2aa4aa3e018536977e.exe
Analysis ID:1579064
MD5:1dea073d9439cce9534ac2b33f6dd285
SHA1:df2115247664958d2b2a1842eb6ffcf2cd8430a4
SHA256:75096dda61a68ec57361d1d25972a28b7fce9c676490ec2aa4aa3e018536977e
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ehxF3rusxJ.exe (PID: 3812 cmdline: "C:\Users\user\Desktop\ehxF3rusxJ.exe" MD5: 1DEA073D9439CCE9534AC2B33F6DD285)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["please-commissions.gl.at.ply.gg"], "Port": 35075, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ehxF3rusxJ.exeJoeSecurity_XWormYara detected XWormJoe Security
    ehxF3rusxJ.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x71aa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7247:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x735c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x701c:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Xeno.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\Xeno.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x71aa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7247:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x735c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x701c:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x6faa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7047:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x715c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6e1c:$cnc4: POST / HTTP/1.1
        00000000.00000002.2299507457.0000000002396000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.2299507457.00000000022E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            Process Memory Space: ehxF3rusxJ.exe PID: 3812JoeSecurity_XWormYara detected XWormJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.ehxF3rusxJ.exe.40000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.0.ehxF3rusxJ.exe.40000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x71aa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x7247:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x735c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x701c:$cnc4: POST / HTTP/1.1

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\ehxF3rusxJ.exe, ProcessId: 3812, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xeno.lnk

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:15.514563+010028528701Malware Command and Control Activity Detected147.185.221.2435075192.168.2.549704TCP
                2024-12-20T18:59:18.634549+010028528701Malware Command and Control Activity Detected147.185.221.2435075192.168.2.549704TCP
                2024-12-20T18:59:19.205272+010028528701Malware Command and Control Activity Detected147.185.221.2435075192.168.2.549705TCP
                2024-12-20T18:59:22.431352+010028528701Malware Command and Control Activity Detected147.185.221.2435075192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:13.365452+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.485432+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.605133+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.725175+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.844898+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.965198+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.085166+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.204846+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.324744+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.571415+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.692061+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.817385+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.157331+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.283463+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.403173+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.522795+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.642573+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.807234+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.926875+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.046592+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.286221+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.407409+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.640003+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.760308+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.880083+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.999689+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.119292+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.238968+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.322122+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.441776+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.561516+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.681121+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.920553+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.040274+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.139343+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.258911+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.378828+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.498763+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.619253+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.636404+010028529231Malware Command and Control Activity Detected192.168.2.549704147.185.221.2435075TCP
                2024-12-20T18:59:18.739188+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.861372+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.956622+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:19.076318+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:19.196059+010028529231Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:15.514563+010028528741Malware Command and Control Activity Detected147.185.221.2435075192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:13.365452+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.485432+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.605133+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.725175+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.844898+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:13.965198+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.085166+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.204846+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.324744+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.571415+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.692061+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:14.817385+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.157331+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.283463+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.403173+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.522795+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.642573+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.807234+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:15.926875+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.046592+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.286221+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.407409+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.640003+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.760308+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.880083+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:16.999689+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.119292+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.238968+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.322122+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.441776+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.561516+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.681121+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:17.920553+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.040274+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.139343+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.258911+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.378828+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.498763+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.619253+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.739188+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.861372+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:18.956622+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:19.076318+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                2024-12-20T18:59:19.196059+010028528731Malware Command and Control Activity Detected192.168.2.549705147.185.221.2435075TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:18.083919+010028559241Malware Command and Control Activity Detected192.168.2.549704147.185.221.2435075TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:12.160699+010028531911Malware Command and Control Activity Detected147.185.221.2435075192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T18:59:11.226246+010028531921Malware Command and Control Activity Detected192.168.2.549704147.185.221.2435075TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: ehxF3rusxJ.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Xeno.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                Found malware configuration
                Source: ehxF3rusxJ.exeMalware Configuration Extractor: Xworm {"C2 url": ["please-commissions.gl.at.ply.gg"], "Port": 35075, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Xeno.exeReversingLabs: Detection: 86%
                Multi AV Scanner detection for submitted file
                Source: ehxF3rusxJ.exeReversingLabs: Detection: 86%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Xeno.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: ehxF3rusxJ.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: ehxF3rusxJ.exeString decryptor: please-commissions.gl.at.ply.gg
                Source: ehxF3rusxJ.exeString decryptor: 35075
                Source: ehxF3rusxJ.exeString decryptor: <123456789>
                Source: ehxF3rusxJ.exeString decryptor: <Xwormmm>
                Source: ehxF3rusxJ.exeString decryptor: XWorm V5.6
                Source: ehxF3rusxJ.exeString decryptor: USB.exe
                Source: ehxF3rusxJ.exeString decryptor: %AppData%
                Source: ehxF3rusxJ.exeString decryptor: Xeno.exe
                Source: ehxF3rusxJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ehxF3rusxJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 4x nop then jmp 00007FF848E6C842h0_2_00007FF848E6C67D
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 4x nop then jmp 00007FF848E6DA14h0_2_00007FF848E6D3CF
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 4x nop then jmp 00007FF848E6DA25h0_2_00007FF848E6D3CF
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 4x nop then jmp 00007FF848E6E5E4h0_2_00007FF848E6BFE0
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 4x nop then jmp 00007FF848E6E5E4h0_2_00007FF848E6BFE0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.5:49705 -> 147.185.221.24:35075
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49705 -> 147.185.221.24:35075
                Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.5:49704 -> 147.185.221.24:35075
                Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 147.185.221.24:35075 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.24:35075 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.24:35075 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 147.185.221.24:35075
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 147.185.221.24:35075
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.24:35075 -> 192.168.2.5:49705
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: please-commissions.gl.at.ply.gg
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 147.185.221.24:35075
                Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: please-commissions.gl.at.ply.gg
                Source: ehxF3rusxJ.exe, 00000000.00000002.2299507457.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, ehxF3rusxJ.exe, 00000000.00000002.2299507457.000000000236C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: 0.2.ehxF3rusxJ.exe.23d4718.2.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen
                Source: 0.2.ehxF3rusxJ.exe.23ca498.1.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen
                Source: 0.2.ehxF3rusxJ.exe.1acf0000.3.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: ehxF3rusxJ.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.0.ehxF3rusxJ.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Xeno.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E671C20_2_00007FF848E671C2
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E605A00_2_00007FF848E605A0
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E664160_2_00007FF848E66416
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E6BFE00_2_00007FF848E6BFE0
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E623280_2_00007FF848E62328
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E6B4BB0_2_00007FF848E6B4BB
                Source: ehxF3rusxJ.exe, 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs ehxF3rusxJ.exe
                Source: ehxF3rusxJ.exe, 00000000.00000002.2300419134.000000001ACF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs ehxF3rusxJ.exe
                Source: ehxF3rusxJ.exe, 00000000.00000002.2299507457.00000000023D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs ehxF3rusxJ.exe
                Source: ehxF3rusxJ.exe, 00000000.00000002.2299507457.00000000023B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs ehxF3rusxJ.exe
                Source: ehxF3rusxJ.exeBinary or memory string: OriginalFilenameXClient.exe4 vs ehxF3rusxJ.exe
                Source: ehxF3rusxJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ehxF3rusxJ.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.0.ehxF3rusxJ.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: C:\Users\user\AppData\Roaming\Xeno.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: ehxF3rusxJ.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: ehxF3rusxJ.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: ehxF3rusxJ.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: Xeno.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: Xeno.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: Xeno.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.ehxF3rusxJ.exe.23d4718.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.ehxF3rusxJ.exe.23d4718.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.ehxF3rusxJ.exe.23ca498.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.ehxF3rusxJ.exe.23ca498.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.ehxF3rusxJ.exe.1acf0000.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.ehxF3rusxJ.exe.1acf0000.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: Xeno.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: Xeno.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: ehxF3rusxJ.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: ehxF3rusxJ.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/3@1/1
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile created: C:\Users\user\AppData\Roaming\Xeno.exeJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeMutant created: NULL
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeMutant created: \Sessions\1\BaseNamedObjects\S0kq8jsRCNfJ43Y8
                Source: ehxF3rusxJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ehxF3rusxJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ehxF3rusxJ.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile read: C:\Users\user\Desktop\ehxF3rusxJ.exeJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                Source: Xeno.lnk.0.drLNK file: ..\..\..\..\..\Xeno.exe
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: ehxF3rusxJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: ehxF3rusxJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: ehxF3rusxJ.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: ehxF3rusxJ.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: Xeno.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: Xeno.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: ehxF3rusxJ.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: ehxF3rusxJ.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: ehxF3rusxJ.exe, Messages.cs.Net Code: Memory
                Source: Xeno.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: Xeno.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: Xeno.exe.0.dr, Messages.cs.Net Code: Memory
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeCode function: 0_2_00007FF848E600BD pushad ; iretd 0_2_00007FF848E600C1
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile created: C:\Users\user\AppData\Roaming\Xeno.exeJump to dropped file
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xeno.lnkJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xeno.lnkJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\8AB6E69446D0440A0945 CC52384910CEE944DDBCC575A8E0177BFA6B16E3032438B207797164D5C94B34Jump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeMemory allocated: 880000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeMemory allocated: 1A2E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeWindow / User API: threadDelayed 6760Jump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeWindow / User API: threadDelayed 3093Jump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exe TID: 6196Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: ehxF3rusxJ.exe, 00000000.00000002.2300706788.000000001B210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeQueries volume information: C:\Users\user\Desktop\ehxF3rusxJ.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: ehxF3rusxJ.exe, 00000000.00000002.2298681149.00000000004D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\ehxF3rusxJ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: ehxF3rusxJ.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.ehxF3rusxJ.exe.40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2299507457.0000000002396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2299507457.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ehxF3rusxJ.exe PID: 3812, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Xeno.exe, type: DROPPED

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: ehxF3rusxJ.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.ehxF3rusxJ.exe.40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2299507457.0000000002396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2299507457.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ehxF3rusxJ.exe PID: 3812, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Xeno.exe, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		2
                Registry Run Keys / Startup Folder                		2
                Registry Run Keys / Startup Folder                		1
                Masquerading                		OS Credential Dumping221
                Security Software Discovery                		Remote Services1
                Screen Capture                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Modify Registry                		LSASS Memory131
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol11
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Disable or Modify Tools                		Security Account Manager1
                Application Window Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook131
                Virtualization/Sandbox Evasion                		NTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets13
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Obfuscated Files or Information                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ehxF3rusxJ.exe87%ReversingLabsWin32.Exploit.Xworm
                ehxF3rusxJ.exe100%AviraHEUR/AGEN.1305769
                ehxF3rusxJ.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Xeno.exe100%AviraHEUR/AGEN.1305769
                C:\Users\user\AppData\Roaming\Xeno.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Xeno.exe87%ReversingLabsWin32.Exploit.Xworm

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                please-commissions.gl.at.ply.gg
                		147.185.221.24
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  please-commissions.gl.at.ply.ggtrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameehxF3rusxJ.exe, 00000000.00000002.2299507457.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, ehxF3rusxJ.exe, 00000000.00000002.2299507457.000000000236C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      147.185.221.24
                      		please-commissions.gl.at.ply.ggUnited States
                      		12087SALSGIVERUStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1579064
                      Start date and time:2024-12-20 18:58:09 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 33s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:4
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:ehxF3rusxJ.exe
                      renamed because original name is a hash value
                      Original Sample Name:75096dda61a68ec57361d1d25972a28b7fce9c676490ec2aa4aa3e018536977e.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@1/3@1/1
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 78
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target ehxF3rusxJ.exe, PID 3812 because it is empty
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: ehxF3rusxJ.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:59:03API Interceptor70x Sleep call for process: ehxF3rusxJ.exe modified
                      18:59:03AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xeno.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      147.185.221.24Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                        file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                          72OWK7wBVH.exeGet hashmaliciousXWormBrowse
                            aZDwfEKorn.exeGet hashmaliciousXWormBrowse
                              HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                file.exeGet hashmaliciousXWormBrowse
                                  file.exeGet hashmaliciousXWormBrowse
                                    NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                      a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                        W6s1vzcRdj.exeGet hashmaliciousXWormBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SALSGIVERUSloligang.ppc.elfGet hashmaliciousMiraiBrowse
                                          • 147.184.134.130
                                          Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                          • 147.185.221.24
                                          PowerRat.exeGet hashmaliciousAsyncRATBrowse
                                          • 147.185.221.211
                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                          • 147.185.221.24
                                          msedge.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.22
                                          imagelogger.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.229
                                          NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.181
                                          com surrogate.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.22
                                          lastest.exeGet hashmaliciousNjratBrowse
                                          • 147.185.221.20
                                          Fast Download.exeGet hashmaliciousNjratBrowse
                                          • 147.185.221.229

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ehxF3rusxJ.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\ehxF3rusxJ.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):1727
                                          Entropy (8bit):5.3718223239563105
                                          Encrypted:false
                                          SSDEEP:48:MxHKQwYHKGSI6o6+vxp3/elStHTHhAHKKkhHNp51qHGIs0HKD:iqbYqGSI6o9Zp/elStzHeqKkhtp5wmjB
                                          MD5:31EF241F1F20FCB19A5F31BA847A045B
                                          SHA1:EF969D35B4517591F0761196C80EC3596497D890
                                          SHA-256:06C7CEBB25F733FC6E607865E9268C51ED87F001379A5C35A8FB1BEF13756D31
                                          SHA-512:8643C52CA4C18D62EF54591EB342E60C11B40BFA0680B3ECD63BF4B9A67486CCEA4B5FA3EE0ACEAAB835D2501894B1AE8A0077FC19B8C51D1192D671A83E30F4
                                          Malicious:true
                                          Reputation:low
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xeno.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\ehxF3rusxJ.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 16:59:02 2024, mtime=Fri Dec 20 16:59:02 2024, atime=Fri Dec 20 16:59:02 2024, length=34816, window=hide
                                          Category:dropped
                                          Size (bytes):748
                                          Entropy (8bit):5.000371362441162
                                          Encrypted:false
                                          SSDEEP:12:82jcO4flt88CMTlsY//DLMpGpjAitHHEKswayJmV:82Kfl+8fTZv9NA2vswayJm
                                          MD5:384E693309FA7DD2F687292B66D75CC6
                                          SHA1:D2035F1F80ECEBE78091AB5113246A4B500115FE
                                          SHA-256:BF18DA1EB75A0D2A572746B88FEA9B50FB9CA5A6836D9B8DFD62D43735F65CE7
                                          SHA-512:E1156188AF4D251C78A534A4A674E92BF931D416195779DB0A079FDBD55EA4B422219732C544D303D015DA0670A0F8C11B4BAFA034B4F0D6882772635B32EA2B
                                          Malicious:false
                                          Reputation:low
                                          Preview:L..................F.... ...f.Z..S..f.Z..S..f.Z..S..........................n.:..DG..Yr?.D..U..k0.&...&...... M.....B....S...bd..S......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y\.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......YZ...Roaming.@......DWSl.YZ.....C.......................I.R.o.a.m.i.n.g.....Z.2......Yb. .Xeno.exe..B......Yb..Yb..... .........................X.e.n.o...e.x.e.......W...............-.......V..............R.....C:\Users\user\AppData\Roaming\Xeno.exe........\.....\.....\.....\.....\.X.e.n.o...e.x.e.`.......X.......284330...........hT..CrF.f4... .T{2=.b...,...W..hT..CrF.f4... .T{2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          C:\Users\user\AppData\Roaming\Xeno.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\ehxF3rusxJ.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):34816
                                          Entropy (8bit):5.576940534170495
                                          Encrypted:false
                                          SSDEEP:384:1xaXVqG28uymzhzUuHnOmYxLm9cCwvHixdTEgVR8pkFTBLTIZwYGDcvw9Ikuise4:DaXUzPi9wcC4C7V9FZ9jPaOjhv/cD
                                          MD5:1DEA073D9439CCE9534AC2B33F6DD285
                                          SHA1:DF2115247664958D2B2A1842EB6FFCF2CD8430A4
                                          SHA-256:75096DDA61A68EC57361D1D25972A28B7FCE9C676490EC2AA4AA3E018536977E
                                          SHA-512:4D5D268675A6916B4C42DBAC6AC35CDE66799F442178BB2FBF037C3D02506FF723E0D7234746559D89FA787E43C935F4AE8B03DF4041669BE01169038E402DC6
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Xeno.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Xeno.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 87%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.bg.................~.............. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B.......................H........Q...J............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):5.576940534170495
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:ehxF3rusxJ.exe
                                          File size:34'816 bytes
                                          MD5:1dea073d9439cce9534ac2b33f6dd285
                                          SHA1:df2115247664958d2b2a1842eb6ffcf2cd8430a4
                                          SHA256:75096dda61a68ec57361d1d25972a28b7fce9c676490ec2aa4aa3e018536977e
                                          SHA512:4d5d268675a6916b4c42dbac6ac35cde66799f442178bb2fbf037c3d02506ff723e0d7234746559d89fa787e43c935f4ae8b03df4041669be01169038e402dc6
                                          SSDEEP:384:1xaXVqG28uymzhzUuHnOmYxLm9cCwvHixdTEgVR8pkFTBLTIZwYGDcvw9Ikuise4:DaXUzPi9wcC4C7V9FZ9jPaOjhv/cD
                                          TLSH:22F23B4877904321CAFE6FF16DF3B1090274F5078923E79E4CD48A9A6F279C28A107E6
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.bg.................~............... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x409cee
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6762A055 [Wed Dec 18 10:13:41 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9c980x53.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x4d8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x7cf40x7e0050c19c312fffd4f301292dec854f2ba5False0.4983568948412698data5.720814910919369IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa0000x4d80x600afbb984503128042cc38bf70e5e337f4False0.375data3.7203482473352403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xc0000xc0x2004d60749099df21a093a8bd5ee10fc20eFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xa0a00x244data0.4724137931034483
                                          RT_MANIFEST0xa2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-12-20T18:59:11.226246+01002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.549704147.185.221.2435075TCP
                                          2024-12-20T18:59:12.160699+01002853191ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound1147.185.221.2435075192.168.2.549704TCP
                                          2024-12-20T18:59:13.365452+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.365452+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.485432+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.485432+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.605133+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.605133+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.725175+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.725175+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.844898+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.844898+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.965198+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:13.965198+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.085166+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.085166+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.204846+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.204846+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.324744+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.324744+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.571415+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.571415+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.692061+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.692061+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.817385+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:14.817385+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.157331+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.157331+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.283463+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.283463+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.403173+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.403173+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.514563+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2435075192.168.2.549704TCP
                                          2024-12-20T18:59:15.514563+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2435075192.168.2.549704TCP
                                          2024-12-20T18:59:15.522795+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.522795+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.642573+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.642573+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.807234+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.807234+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.926875+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:15.926875+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.046592+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.046592+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.286221+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.286221+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.407409+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.407409+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.640003+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.640003+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.760308+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.760308+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.880083+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.880083+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.999689+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:16.999689+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.119292+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.119292+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.238968+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.238968+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.322122+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.322122+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.441776+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.441776+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.561516+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.561516+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.681121+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.681121+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.920553+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:17.920553+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.040274+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.040274+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.083919+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549704147.185.221.2435075TCP
                                          2024-12-20T18:59:18.139343+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.139343+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.258911+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.258911+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.378828+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.378828+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.498763+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.498763+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.619253+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.619253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.634549+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2435075192.168.2.549704TCP
                                          2024-12-20T18:59:18.636404+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549704147.185.221.2435075TCP
                                          2024-12-20T18:59:18.739188+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.739188+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.861372+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.861372+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.956622+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:18.956622+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:19.076318+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:19.076318+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:19.196059+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:19.196059+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549705147.185.221.2435075TCP
                                          2024-12-20T18:59:19.205272+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2435075192.168.2.549705TCP
                                          2024-12-20T18:59:22.431352+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2435075192.168.2.549704TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 20, 2024 18:59:05.004609108 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:05.124700069 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:05.124803066 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:05.351682901 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:05.471514940 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:10.538830042 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:10.579051971 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:11.226246119 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:11.346010923 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.160698891 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.160718918 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.160799026 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.160917044 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.161011934 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.161026955 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.161060095 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.203922033 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.394717932 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.394736052 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.394850969 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.395018101 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.395129919 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.395184040 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.403000116 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.403352976 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.403414011 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.411452055 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.411470890 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:12.411536932 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:12.928379059 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.047986031 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.048285007 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.125469923 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.245150089 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.245217085 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.365381002 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.365452051 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.485337019 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.485431910 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.604975939 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.605133057 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.725085020 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.725174904 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.844832897 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.844897985 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:13.965137005 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:13.965198040 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.085095882 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.085165977 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.204730988 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.204845905 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.324604988 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.324743986 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.444752932 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.447602987 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.567734003 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.571414948 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.692002058 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.692060947 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.812304974 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.817384958 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.851581097 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:14.907110929 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.913590908 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:14.937084913 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.033983946 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.034152985 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.034296989 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.153975010 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.157330990 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.280388117 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.283463001 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.403052092 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.403172970 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.514563084 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.522741079 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.522794962 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.563291073 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.642508030 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.642573118 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.664422035 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.707918882 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.807162046 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.807234049 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:15.827954054 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.828135014 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.926798105 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:15.926875114 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.046533108 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.046591997 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.166434050 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.166491985 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.286125898 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.286221027 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.406033993 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.407408953 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.482547045 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.520109892 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.527172089 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.639841080 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.639950991 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.640002966 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.640049934 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.640124083 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.640171051 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.760241032 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.760308027 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.880013943 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.880083084 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:16.999614954 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:16.999689102 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.119227886 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.119292021 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.238894939 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.238967896 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.322061062 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.322122097 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.349478960 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.358551979 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.441703081 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.441776037 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.469086885 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.469141960 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.469386101 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.469443083 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.469553947 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.469568968 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.561433077 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.561516047 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.681057930 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.681121111 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.800681114 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.800760031 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:17.920449018 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:17.920552969 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.040149927 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.040273905 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.083919048 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.139240980 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.139343023 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.159841061 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.203752995 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.212619066 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.258850098 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.258910894 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.332484961 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.332742929 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.332767010 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.332916975 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.378756046 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.378828049 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.498619080 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.498763084 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.619199991 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.619252920 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.634548903 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.636404037 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.739108086 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.739187956 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.756308079 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.859375954 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.861371994 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.956547976 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.956621885 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:18.980998993 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:18.995059967 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:19.076239109 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.076318026 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:19.114841938 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.114865065 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.114905119 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.114936113 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115076065 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115107059 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115201950 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115255117 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115364075 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115376949 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.115417957 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.195982933 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.196058989 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:19.205271959 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.207434893 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:19.327795029 CET3507549705147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:19.327876091 CET4970535075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:22.431351900 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:22.436784983 CET4970435075192.168.2.5147.185.221.24
                                          Dec 20, 2024 18:59:22.556737900 CET3507549704147.185.221.24192.168.2.5
                                          Dec 20, 2024 18:59:22.557413101 CET4970435075192.168.2.5147.185.221.24

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 20, 2024 18:59:04.626247883 CET5267853192.168.2.51.1.1.1
                                          Dec 20, 2024 18:59:04.987365007 CET53526781.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 20, 2024 18:59:04.626247883 CET192.168.2.51.1.1.10x5ea4Standard query (0)please-commissions.gl.at.ply.ggA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 20, 2024 18:59:04.987365007 CET1.1.1.1192.168.2.50x5ea4No error (0)please-commissions.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:12:58:58
                                          Start date:20/12/2024
                                          Path:C:\Users\user\Desktop\ehxF3rusxJ.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\ehxF3rusxJ.exe"
                                          Imagebase:0x40000
                                          File size:34'816 bytes
                                          MD5 hash:1DEA073D9439CCE9534AC2B33F6DD285
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2033230351.0000000000042000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2299507457.0000000002396000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2299507457.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FF848E62328 Relevance: 2.3, Strings: 1, Instructions: 1006COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 1f98ca880c7b45fad07d50805b259170bb94705886b3e48e0c93f67a3c949f25
                                            • Instruction ID: 8ee2dc034ba68a72430f0df23aa79710bc21f545b2eb76f5e2d037fc887d6b9c
                                            • Opcode Fuzzy Hash: 1f98ca880c7b45fad07d50805b259170bb94705886b3e48e0c93f67a3c949f25
                                            • Instruction Fuzzy Hash: C8627B30E1C91A9FEA98FB38845567D72E2FF98390F944578D01EE3286DF38B8429745
                                            Function 00007FF848E605A0 Relevance: 2.0, Strings: 1, Instructions: 711COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: SAO_^
                                            • API String ID: 0-3650529936
                                            • Opcode ID: 9cbc0cd515bbacbebbacd84709a6d182e4ec39e02e9755c4f7f8f80338503147
                                            • Instruction ID: 7e10cf970d0ef42c6713dca0a58483e706668f4345d656690af3d812159eebd6
                                            • Opcode Fuzzy Hash: 9cbc0cd515bbacbebbacd84709a6d182e4ec39e02e9755c4f7f8f80338503147
                                            • Instruction Fuzzy Hash: 1A22F231E2DA599FE798FB38845A2B9B7D2FF88750F84057DD00ED3286DE38A8018745
                                            Function 00007FF848E6BFE0 Relevance: .6, Instructions: 619COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbf1926386261af010f97721d1929a40f603b6164ba3c6a1b67141ede2ce48ca
                                            • Instruction ID: fb7b92d53320cb060b7a8edfd2655a286ec43a427177b1635714ae671dfa0f40
                                            • Opcode Fuzzy Hash: fbf1926386261af010f97721d1929a40f603b6164ba3c6a1b67141ede2ce48ca
                                            • Instruction Fuzzy Hash: 9D320830D0951A8EEB68EB24C495BFDB3B1FF58344F6044B9D01EA3286DF39A981CB55
                                            Function 00007FF848E6D3CF Relevance: .6, Instructions: 568COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19768468082601e8f8cb0d9a38a588ecfd6705c19ab83dfe7cb21d2cd7b0a8e1
                                            • Instruction ID: b4d22986a8567b0f72488040073b04d6c5f7cbdf73a32b6a0ed43b41fb835541
                                            • Opcode Fuzzy Hash: 19768468082601e8f8cb0d9a38a588ecfd6705c19ab83dfe7cb21d2cd7b0a8e1
                                            • Instruction Fuzzy Hash: 1E124D70E199198FDB98EB28C894BB8B7F1FB58361F4401B9D00EE3295CF75A981CB45
                                            Function 00007FF848E66416 Relevance: .5, Instructions: 471COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a631cba2a336359939939f4d1befdfec1bb6e1352c40d6760d46cfc3b28e636
                                            • Instruction ID: 1e9b439519d3a4ca60fc29b21a86dcaf9c711ea88ce3289deb538ebcc7c627d0
                                            • Opcode Fuzzy Hash: 6a631cba2a336359939939f4d1befdfec1bb6e1352c40d6760d46cfc3b28e636
                                            • Instruction Fuzzy Hash: 9FF1B53091CA8D8FEBA8EF28C8557E937E1FF54350F44426EE84DC7295DB34A9458B82
                                            Function 00007FF848E671C2 Relevance: .5, Instructions: 457COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5061c6dbb9d08c45e5f60bd8873066d00488beb657983add11ac7fa279114705
                                            • Instruction ID: c77dd094aa0b11032b4ac951004dfe7de102abed4102ebdfe329a4848c61a10d
                                            • Opcode Fuzzy Hash: 5061c6dbb9d08c45e5f60bd8873066d00488beb657983add11ac7fa279114705
                                            • Instruction Fuzzy Hash: A9E1B43090CA8E8FEBA8EF28C8557E97BD1FF54350F54426EE84DC7291DB34A9458B81
                                            Function 00007FF848E6C67D Relevance: .2, Instructions: 187COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03989e0092e773fcb8ea93e03d62d6d71cb8a5bb4f3c5ee02cbf39e9b70adf4b
                                            • Instruction ID: 10ab9efeeb7a58dff11bb672583aa0c32a5b0bc734426fcabe3b768944aacaf6
                                            • Opcode Fuzzy Hash: 03989e0092e773fcb8ea93e03d62d6d71cb8a5bb4f3c5ee02cbf39e9b70adf4b
                                            • Instruction Fuzzy Hash: 0851A47091891D8FDB98EF68C495ABCB7F1FF59301F501169D01AE72A2CB34A881CB44
                                            Function 00007FF848E6C080 Relevance: 2.8, Strings: 2, Instructions: 319COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: &$
                                            • API String ID: 0-3672554430
                                            • Opcode ID: fc99f53fb8bdb8de7d00dfaeda2887835587f6fa659a86984976b6f336e9f0e6
                                            • Instruction ID: 13e803247e32304e3b18d24567423f00ca82f11b014c9ec1cec799796c3a9fec
                                            • Opcode Fuzzy Hash: fc99f53fb8bdb8de7d00dfaeda2887835587f6fa659a86984976b6f336e9f0e6
                                            • Instruction Fuzzy Hash: 30C19931D0D6998FEBA9EB68C854BADBBB0FF15340F5001BAD04DA7292DF346985CB40
                                            Function 00007FF848E6C090 Relevance: 2.8, Strings: 2, Instructions: 312COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: &$
                                            • API String ID: 0-3672554430
                                            • Opcode ID: 52ef2d04150789016992a407162e440a14b273562cc5ffe85e910e6a58812ff9
                                            • Instruction ID: 4d51e994cfbab417842c14e2f0595de2d4aa5d8a2b72020c02d3b7279239128c
                                            • Opcode Fuzzy Hash: 52ef2d04150789016992a407162e440a14b273562cc5ffe85e910e6a58812ff9
                                            • Instruction Fuzzy Hash: FBC18831D0D6598FEBA9EB68C894BADBBB0FF15340F5001BAD04DA7292DF346985CB44
                                            Function 00007FF848E6C0C0 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: &$
                                            • API String ID: 0-3672554430
                                            • Opcode ID: 48619f6df792defc8ba1d0232999ace6d1ea56ca5a623d66728a94c913dd5228
                                            • Instruction ID: 8c63fb2f880388d337ab00313d568b7abb1f8d121197ebdbe9a1ed2d3cf2f46d
                                            • Opcode Fuzzy Hash: 48619f6df792defc8ba1d0232999ace6d1ea56ca5a623d66728a94c913dd5228
                                            • Instruction Fuzzy Hash: E2B15970D096598FEBA8EB68C895BADB7B0FF55340F5001BAD00EA7292DF346985CF44
                                            Function 00007FF848E6C138 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: &$
                                            • API String ID: 0-3672554430
                                            • Opcode ID: 859209df16ec082690950c0dadd18f5fb837fc0bc05f1066ffac0644353af810
                                            • Instruction ID: 7483dbb9ac57411b3ff6b648e5dda37437748c9a69c6a478a54d664db3bd2c87
                                            • Opcode Fuzzy Hash: 859209df16ec082690950c0dadd18f5fb837fc0bc05f1066ffac0644353af810
                                            • Instruction Fuzzy Hash: AA91F37090861D8FEBA8EB68C885BADB7B1FF54340F5041AAD40EA7292DF356985CF44
                                            Function 00007FF848E60758 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6S_H
                                            • API String ID: 0-3755630769
                                            • Opcode ID: 21be4fdf95d327025c80b03975a9ce88514177ebe7f56397fc92e513ab14242d
                                            • Instruction ID: 4d7e45d39e608e01bb2f78f31f305f27ac68ac72969605acc5aa75b65e57cb24
                                            • Opcode Fuzzy Hash: 21be4fdf95d327025c80b03975a9ce88514177ebe7f56397fc92e513ab14242d
                                            • Instruction Fuzzy Hash: B1D10270E2CA598FE799FB2C949867877E2FB98394F9401B9D00ED3296DF34B8418744
                                            Function 00007FF848E6AFC1 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: _
                                            • API String ID: 0-701932520
                                            • Opcode ID: b4c2f95105b9fce58e23d10a6dfa8b07be3b81e368de6db3e550c926b3d99cd1
                                            • Instruction ID: 691a91b07f4edfbaeb86a1a4e8372e9f6101252dd6eb89bb0eabf5691275be68
                                            • Opcode Fuzzy Hash: b4c2f95105b9fce58e23d10a6dfa8b07be3b81e368de6db3e550c926b3d99cd1
                                            • Instruction Fuzzy Hash: 47A11761E1CA495FE798BB3C58593B9BBD1FF98650F8801BAD00DE3283DF3868428755
                                            Function 00007FF848E60F6D Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: SAO_^
                                            • API String ID: 0-3650529936
                                            • Opcode ID: f6acab0b29bda7cdd6c463b78999d9fbde9f202c536d479dd6285df584398c7c
                                            • Instruction ID: dc250ae8316b24d6527c7015affebf510704ac140b0cdc59e2b04183433b9c3c
                                            • Opcode Fuzzy Hash: f6acab0b29bda7cdd6c463b78999d9fbde9f202c536d479dd6285df584398c7c
                                            • Instruction Fuzzy Hash: 28A1F121E2CE4A5FE798FB3C845A279B7D2FF98790F480179D00DD3286DF28A8414746
                                            Function 00007FF848E6B000 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: _
                                            • API String ID: 0-701932520
                                            • Opcode ID: 5b75637bc8488ab14e6f0fa84c1bc458d908635b97f1f940be11279e0847de37
                                            • Instruction ID: 457d3fb5f62393ca744e6c9b66efcf3d572fe4b57c345c9d3f73d03bb541bbdc
                                            • Opcode Fuzzy Hash: 5b75637bc8488ab14e6f0fa84c1bc458d908635b97f1f940be11279e0847de37
                                            • Instruction Fuzzy Hash: FD91F661E2C9499FE798FA3C54593B9ABD1FFD8690F88017AD40DE3282DF3868428745
                                            Function 00007FF848E68AC9 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PkH
                                            • API String ID: 0-987504156
                                            • Opcode ID: bb626bb4547a7407d82930b8365dcbc55f5cbe2de8a858611e6c0221367b71b7
                                            • Instruction ID: 266124968e420ad821ca1974fafd1d761d9d8a03af29f3a713a63098e41d7437
                                            • Opcode Fuzzy Hash: bb626bb4547a7407d82930b8365dcbc55f5cbe2de8a858611e6c0221367b71b7
                                            • Instruction Fuzzy Hash: B1910371E0E95A5FE788F73884592A87BE1FF55390F8802BAD009D3192DF38B8478395
                                            Function 00007FF848E68C85 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PkH
                                            • API String ID: 0-987504156
                                            • Opcode ID: ce3912242bee084e5f02426a233ac624132c4ec35cf29960f67513a94ad43541
                                            • Instruction ID: 79468e76edb3b5b2f5de2c69ca73bd26c6591b80a6b20c83df1456f3831c3005
                                            • Opcode Fuzzy Hash: ce3912242bee084e5f02426a233ac624132c4ec35cf29960f67513a94ad43541
                                            • Instruction Fuzzy Hash: 62310431D0E95A6FEB94FB3C84546B97BE1FF98390F8401BAE00CD7186DB38A8069355
                                            Function 00007FF848E68371 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d
                                            • API String ID: 0-2564639436
                                            • Opcode ID: 3956b61b442f0087ab71ff40dd08298546883b1f970557b8778dd53d75c4e094
                                            • Instruction ID: 6e77ee5b5fb4c40ab58efc7e801efd6c5c073c5d30bafac7f23034997455f6b0
                                            • Opcode Fuzzy Hash: 3956b61b442f0087ab71ff40dd08298546883b1f970557b8778dd53d75c4e094
                                            • Instruction Fuzzy Hash: 2421D832C0C26A4FEB44ABA4C8096F9BBF0FF45350F4401BBD599E7292DB7C68468795
                                            Function 00007FF848E68CDF Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PkH
                                            • API String ID: 0-987504156
                                            • Opcode ID: 48313e37ab8ee99dd5207b1570d6e63b5b9cbdc2c9dee22d2afc64572fc4c01c
                                            • Instruction ID: 2b717237da16c039e85c000db4a2fde5a5c1110536091010d5989619c3f51556
                                            • Opcode Fuzzy Hash: 48313e37ab8ee99dd5207b1570d6e63b5b9cbdc2c9dee22d2afc64572fc4c01c
                                            • Instruction Fuzzy Hash: AE21232090DACA4FE746E7389861661BBE1EF66390F5A00E7C088CB197D62CA853C321
                                            Function 00007FF848E61B91 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: SAO_^
                                            • API String ID: 0-3650529936
                                            • Opcode ID: b393b9622a4ff297e3399a3322ae2129096bc92c7be6d1b73a0f03dea72d5e51
                                            • Instruction ID: 40404df73366335772cb1392bdfa877fb5d854877c0ec7708309221c8eeb50de
                                            • Opcode Fuzzy Hash: b393b9622a4ff297e3399a3322ae2129096bc92c7be6d1b73a0f03dea72d5e51
                                            • Instruction Fuzzy Hash: 72118421D0E6964FF31BB73944251AD2FA1AF822D0F8845B9D049DB1D3EF397805835A
                                            Function 00007FF848E68D20 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PkH
                                            • API String ID: 0-987504156
                                            • Opcode ID: 4f62b6d4c139aafbfaad5814d95a401f1dee69a4a8005a4196a123718470aca3
                                            • Instruction ID: c854124777b68db208ddf8a97156ec17533d6fcbc225183130666720baca7bce
                                            • Opcode Fuzzy Hash: 4f62b6d4c139aafbfaad5814d95a401f1dee69a4a8005a4196a123718470aca3
                                            • Instruction Fuzzy Hash: 3CF03131A18C0E8FDAA4E62CD455766A3D5FFA8351F550676D00CD3249DB74EC828754
                                            Function 00007FF848E61BF8 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: SAO_^
                                            • API String ID: 0-3650529936
                                            • Opcode ID: 73db29b72959b99f18648824b759e0be7b5e6a17ef0330aa33d3cb9dbfdb59ef
                                            • Instruction ID: 2c8fff4f1d5ceac0afe64c41ed9ea74e2957cfb5aec1ee2b17c9bfdf8b644f41
                                            • Opcode Fuzzy Hash: 73db29b72959b99f18648824b759e0be7b5e6a17ef0330aa33d3cb9dbfdb59ef
                                            • Instruction Fuzzy Hash: 13F08C30C0C5129FE36AFB28C0856BD73A2BF95390F944639D00DA31D2DF3AB8569688
                                            Function 00007FF848E6ED6D Relevance: .4, Instructions: 370COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b22547b17c7a500736540a6cebde1fbd5632ba532d531529301c006574be84b
                                            • Instruction ID: 5222b2c8dc37e87cf2bfbf8b84c71c5f0497a67402086e86783f1e32f9066c5b
                                            • Opcode Fuzzy Hash: 4b22547b17c7a500736540a6cebde1fbd5632ba532d531529301c006574be84b
                                            • Instruction Fuzzy Hash: 1DD1C370E18A1D8FEBA8EB58C895BEDB7B1FF58340F5041A9D04DE3292CF3469818B55
                                            Function 00007FF848E66DD6 Relevance: .3, Instructions: 330COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa788a998f6631f387fdb9db4d3533ba367c078e87afe57b212e6bab7002c81b
                                            • Instruction ID: a2237ef52ec2bc41145740fbdfc1515d2e35e19b10ce303fe9da20517ef815f4
                                            • Opcode Fuzzy Hash: fa788a998f6631f387fdb9db4d3533ba367c078e87afe57b212e6bab7002c81b
                                            • Instruction Fuzzy Hash: 4DB1D83050CA8D8FEB99EF28C8557E93BD1FF55350F44426EE84DC7292CB34A9458B86
                                            Function 00007FF848E6C8E2 Relevance: .3, Instructions: 311COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c192928b2bafd45513f468ca60bb4c1dcfa39520d3a2953075f2030a376265fa
                                            • Instruction ID: 2f5e4b7d1026a40bf66e26edd9a70eb797708f7d3be44d01efb0b13314eb0db5
                                            • Opcode Fuzzy Hash: c192928b2bafd45513f468ca60bb4c1dcfa39520d3a2953075f2030a376265fa
                                            • Instruction Fuzzy Hash: 04C1DB30E09A499FEB58EB68C885BADB7B1FF49350F5441B9D00DE3292CF386885CB51
                                            Function 00007FF848E626B5 Relevance: .3, Instructions: 290COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2dc86c86a3d7bd74b94977f8a7af965d0057366531a4cf855c9cbb536eb2bc76
                                            • Instruction ID: fea44bf88c0222483a50bcd6703df6b97fd67d489f7a520ac33be91929d8dfaa
                                            • Opcode Fuzzy Hash: 2dc86c86a3d7bd74b94977f8a7af965d0057366531a4cf855c9cbb536eb2bc76
                                            • Instruction Fuzzy Hash: 5681D461F2C9494FE798AB3C54593BD77D2FF983A0F94057AD40AD32C7EE2868028785
                                            Function 00007FF848E62CC0 Relevance: .3, Instructions: 284COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2ca9ff1e4f29a9a708821c696b1cabf584ad917ca363bdbaccf3051328b71fc
                                            • Instruction ID: 713e9738a764945c508316b62f1bf57809689d09c79a141e3d4a26738efe6230
                                            • Opcode Fuzzy Hash: f2ca9ff1e4f29a9a708821c696b1cabf584ad917ca363bdbaccf3051328b71fc
                                            • Instruction Fuzzy Hash: 8D91C660B68D05AFE688B76C94567BAF3C2FFA8340F644175D00DC36D6CE68BC418766
                                            Function 00007FF848E6900D Relevance: .3, Instructions: 254COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e175fac1de1b7aff68c831d81b5eadfb3784c96382f4445641fe34bde6b0b3cc
                                            • Instruction ID: 0b93a3514c71d1ba1bb5d211cd9e0c21d2e1784aef26af027c038120e1b82926
                                            • Opcode Fuzzy Hash: e175fac1de1b7aff68c831d81b5eadfb3784c96382f4445641fe34bde6b0b3cc
                                            • Instruction Fuzzy Hash: 0D71C231A1C9594FDB99FB289859AF9B7E1FF59350F44017AD00DE3292CE38A846C741
                                            Function 00007FF848E62AC5 Relevance: .2, Instructions: 241COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8145e046152e6812cbb15e4e2461530a15d3a41879685a08fe3ae0af6ebddd06
                                            • Instruction ID: 35c709cfa1abb12d5dc5d8c156619b30c3f550bd1b566cb4f48316bcb5f072e4
                                            • Opcode Fuzzy Hash: 8145e046152e6812cbb15e4e2461530a15d3a41879685a08fe3ae0af6ebddd06
                                            • Instruction Fuzzy Hash: 2071767090D6898FE759EF6888156B97FE0FF52361F4841BED088D7193EB28A406C751
                                            Function 00007FF848E69060 Relevance: .2, Instructions: 215COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 972cae07a3f8cd6f98a583a82b1212eec64e42bf8a533e5865b480a30f0a763e
                                            • Instruction ID: d8e1388ffa6cb903594bd05720a5fe458caaa521a923af68a3a70ce27f0c1d9a
                                            • Opcode Fuzzy Hash: 972cae07a3f8cd6f98a583a82b1212eec64e42bf8a533e5865b480a30f0a763e
                                            • Instruction Fuzzy Hash: 70518E31E1C9198FEB99FB289499ABDB7E2FF98350F540579D00EE3296CE34AC418741
                                            Function 00007FF848E6CE74 Relevance: .2, Instructions: 214COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 221a58ff7b5fc35ee4ac532797da7f7cc91bc0f03ed2a8f554c62637869892fd
                                            • Instruction ID: ea71201ed8d2d062c36e8ad14c32da6072e309fe37b231310b54159fc5d1e9e8
                                            • Opcode Fuzzy Hash: 221a58ff7b5fc35ee4ac532797da7f7cc91bc0f03ed2a8f554c62637869892fd
                                            • Instruction Fuzzy Hash: E561FA30E18A5D8FDB98EF68D895AACB7F1FF59341F500169E019E72A2CF35A841CB44
                                            Function 00007FF848E6845D Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc355b0bdb5057e63359ef73b59dbe5aae0445506ca143e437ce982c08bc5a09
                                            • Instruction ID: eebf60831b3712b9c4e430565468e3e6f09372c440e99a228a78228f1549c8c6
                                            • Opcode Fuzzy Hash: cc355b0bdb5057e63359ef73b59dbe5aae0445506ca143e437ce982c08bc5a09
                                            • Instruction Fuzzy Hash: 78517070918A1C8FDB98EF68D8457EDBBF1FF99310F14426AD44DE3252DB34A8468B81
                                            Function 00007FF848E68D81 Relevance: .2, Instructions: 207COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1390fca98d9cf1f6080c1d781715530ac26d25667bc1ffe95ba87cab64927fdb
                                            • Instruction ID: 904867c02d9f0007d0d118ff16d55d18d3f1900691d8a022741dc0fa7c5cfcd7
                                            • Opcode Fuzzy Hash: 1390fca98d9cf1f6080c1d781715530ac26d25667bc1ffe95ba87cab64927fdb
                                            • Instruction Fuzzy Hash: C0517F30E1D9199FEB98EB28D8556BC77E2FF99740F4441B5E40DE3292CF38A8429744
                                            Function 00007FF848E62008 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5c4ac551f09fe0edd6488d46055750f5a1fde8531166c1493dc5b53e7eb22e5
                                            • Instruction ID: 6203335a08d689cea7ff91d164182709faaed5c62c57a1493925cbf041576bed
                                            • Opcode Fuzzy Hash: c5c4ac551f09fe0edd6488d46055750f5a1fde8531166c1493dc5b53e7eb22e5
                                            • Instruction Fuzzy Hash: 5161E330E0D6868FE74AE73448152A9BBA1FF563A0F5802B9C459D71D3CF6C7842C755
                                            Function 00007FF848E63D0C Relevance: .2, Instructions: 194COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10fe034f6f349ddcb5f3df7c5650ccdf43ed1ad03c9b5fb3424bbeb057e25cee
                                            • Instruction ID: 00f735be10ee9bc913f109053e0c4582359919a2979f48419194b79307faaa40
                                            • Opcode Fuzzy Hash: 10fe034f6f349ddcb5f3df7c5650ccdf43ed1ad03c9b5fb3424bbeb057e25cee
                                            • Instruction Fuzzy Hash: 79518131D08A1C8FDB58EB58D845BE9BBF1FB59310F1082ABD40DE3252DF34A9858B81
                                            Function 00007FF848E6CEA0 Relevance: .2, Instructions: 194COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f3e352518edb4c2680cec9902def8eaa0d7473972d6bc763539bf1434e8db08
                                            • Instruction ID: 8d057a398294c466dee27eb32678875dd7a04d50f77f96d8bcb9f4fc76ec085f
                                            • Opcode Fuzzy Hash: 6f3e352518edb4c2680cec9902def8eaa0d7473972d6bc763539bf1434e8db08
                                            • Instruction Fuzzy Hash: BE61D930A1891C8FDB98EF68D895AADB7F1FF59341F501169E00EE7292CF35A841CB44
                                            Function 00007FF848E67DBA Relevance: .2, Instructions: 193COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3bfa5a1dee0fd584bfdfedb85ab2ab9c6e5f434c0aa56d93614ec29091536b0
                                            • Instruction ID: a38934d200633472bf2efdb03aa63fcf5b55026593d3f263cb6c20e06e357085
                                            • Opcode Fuzzy Hash: e3bfa5a1dee0fd584bfdfedb85ab2ab9c6e5f434c0aa56d93614ec29091536b0
                                            • Instruction Fuzzy Hash: 15516070A08A1C9FDB58EF68D8457EDB7F1FF58350F10426AD44DE3252DB34A8468B81
                                            Function 00007FF848E6D81D Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa6358b53220ff9e5f4ae4fb2adee7d8020e752dda1017532c6a4e3ff740642d
                                            • Instruction ID: 8c86c8201a4b2b464b6b804e1134d2cccbfa8dcfb87d63700773c6afa3880fe9
                                            • Opcode Fuzzy Hash: fa6358b53220ff9e5f4ae4fb2adee7d8020e752dda1017532c6a4e3ff740642d
                                            • Instruction Fuzzy Hash: FB514E30E18A1D8FDB98EB18C894BA8B7F1FB59350F4441AAD04EE3291CF31A981CF45
                                            Function 00007FF848E6140D Relevance: .2, Instructions: 182COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0c6774b8f8043d6018a110d1ad0d2ed2bb6989394d7140bdf4880e9faba2c42
                                            • Instruction ID: 51e8a3bf69e4a0491998f037f93c6e8939c42946aa40ad53c8d466267c65233f
                                            • Opcode Fuzzy Hash: f0c6774b8f8043d6018a110d1ad0d2ed2bb6989394d7140bdf4880e9faba2c42
                                            • Instruction Fuzzy Hash: 10510420A1DAC99FD786AB3C5869275BFD1EF9A255F0800FAE08DC7297DE185806C346
                                            Function 00007FF848E6045B Relevance: .2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 062ace7d84995cf6f6cb0ca5f4755cc02186e10fd2d16d4db126025bd705b746
                                            • Instruction ID: 79c4f9407135f59d53fc4d5ed758b76d236da8dc42f721b9bd28f132d45d6a01
                                            • Opcode Fuzzy Hash: 062ace7d84995cf6f6cb0ca5f4755cc02186e10fd2d16d4db126025bd705b746
                                            • Instruction Fuzzy Hash: EE413821F1D9499FE358FB3C94552B8BBD1FF99654F0801BAE04DC7297DE28AC068345
                                            Function 00007FF848E60478 Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b68a55729ad489ef6fc0dce53cb987390392f7c4338366eea05980a2865ff02b
                                            • Instruction ID: 1508cc2a9a9332a9954170fbc5215e849fa2181af11b2d241ef0733a26780244
                                            • Opcode Fuzzy Hash: b68a55729ad489ef6fc0dce53cb987390392f7c4338366eea05980a2865ff02b
                                            • Instruction Fuzzy Hash: 4D412921F1DA895FE789FB3C94652B9BBD1FF99254F0801BAE04DC7293DE28AC058345
                                            Function 00007FF848E6FA29 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc609e2092527703f796a695756cada6332f7b76c254b704afc692f58d4fbbc7
                                            • Instruction ID: 8d86e7b169fb7491a8dc679215026a48d912939b11e4bf1cc7bb26d720a587bc
                                            • Opcode Fuzzy Hash: bc609e2092527703f796a695756cada6332f7b76c254b704afc692f58d4fbbc7
                                            • Instruction Fuzzy Hash: 1C51E435A1891D8FDB88EF98D894AADB7F1FF59301F44016AE40DE7291CB74A842CB44
                                            Function 00007FF848E61D65 Relevance: .2, Instructions: 157COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 668d2f63baee87bc39537d70797e50e505c12c54e757a236f0ba0fcee9ae733e
                                            • Instruction ID: 18b578ba662039eb19064b8f8efa6c21ebee0c892159ca3569308b33107635f0
                                            • Opcode Fuzzy Hash: 668d2f63baee87bc39537d70797e50e505c12c54e757a236f0ba0fcee9ae733e
                                            • Instruction Fuzzy Hash: 16419C74A1CA1CCFDB99EF28D4A9AB97BE0FB64311F04016ED00AD3692DB75E841CB41
                                            Function 00007FF848E60BFE Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c4f0080a5032c1b073f4c49f900cf732bf84e2d2fa69cc18ac56e8cb4c73c69
                                            • Instruction ID: 1cf95ac778ce528c8092166e38df14777ca6918d98909a2f829f967186708314
                                            • Opcode Fuzzy Hash: 1c4f0080a5032c1b073f4c49f900cf732bf84e2d2fa69cc18ac56e8cb4c73c69
                                            • Instruction Fuzzy Hash: E4418921A1EE9A5FE399B73C441A2793BD2EF86650F4800BAD44CD3297DD28AC028341
                                            Function 00007FF848E6CD36 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70720521b2d231a78aca2e2fedf17c5b5578a0362bb5aa1da2fa4c31dc88f37b
                                            • Instruction ID: ed4fc642a046cc2b0506cf72cc5283d0d77c4dd30c0f40bbdcdd964a90c64da6
                                            • Opcode Fuzzy Hash: 70720521b2d231a78aca2e2fedf17c5b5578a0362bb5aa1da2fa4c31dc88f37b
                                            • Instruction Fuzzy Hash: 1541CD3180DA4D9FDB55EB68C845AE9BBF0FF56320F0442ABD04CD35A2DB386946CB81
                                            Function 00007FF848E687C1 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 40c3fafabc0cb7a2e698ba327a8b4615196514c84466d1221ed42d0b8173e3af
                                            • Instruction ID: b5d53d77eda7c954493209a2ef1ed291256581369e6d47d709ecc497da94b6ef
                                            • Opcode Fuzzy Hash: 40c3fafabc0cb7a2e698ba327a8b4615196514c84466d1221ed42d0b8173e3af
                                            • Instruction Fuzzy Hash: 3841A171E0D9598FEB84EB6888596FC77F2FF99341B4400BAD40DE3292DF38A8428715
                                            Function 00007FF848E604C8 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 815010ba1029bd7a1eac935d81a6936b6bfd4e83a36187f8659ba68656527976
                                            • Instruction ID: de77fa551a05f71a2419fc7975ee69719193193df18a8999b88bc1835a427ff3
                                            • Opcode Fuzzy Hash: 815010ba1029bd7a1eac935d81a6936b6bfd4e83a36187f8659ba68656527976
                                            • Instruction Fuzzy Hash: B031E420B1D9495FE798EB3C5459279B6C2EF9C755F0405BEE00EC3297DE28AC018341
                                            Function 00007FF848E6B3BA Relevance: .1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac94f9ce46f2190608a595d4856b5e429b223cc2dc91cb439036e585fcdecd11
                                            • Instruction ID: 8f0c0343371b13251e47eb475ebf28d0b1ff3314cc52010e9c78db4e2c3cbb18
                                            • Opcode Fuzzy Hash: ac94f9ce46f2190608a595d4856b5e429b223cc2dc91cb439036e585fcdecd11
                                            • Instruction Fuzzy Hash: 2641253050D6898FEB96AB7888456A53FE1FF97350F0900FAD448CB163DA29A806C352
                                            Function 00007FF848E60A91 Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c59fc0029bfd3ff3060b8d105408b4abd47b203bb514a32e176fd1d2273e303
                                            • Instruction ID: 4b01132db905c83eb0fa4d82805cf397ce917e0935d5e4d8d57c9b370671189a
                                            • Opcode Fuzzy Hash: 7c59fc0029bfd3ff3060b8d105408b4abd47b203bb514a32e176fd1d2273e303
                                            • Instruction Fuzzy Hash: 0931F221F2CD595FE788B77C58593B9A7D2FF98681F484176E00CD3287DE28A8014792
                                            Function 00007FF848E6DDC1 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d2f2038921296dee9a847f6c0b152f0ce02bf562c0aeaf94e32b876f5ae19b7
                                            • Instruction ID: f001b4cabf9ca42ee3f6dacc70d3699e8e6d32f5a5c6ee3092781cfbe0800d7a
                                            • Opcode Fuzzy Hash: 9d2f2038921296dee9a847f6c0b152f0ce02bf562c0aeaf94e32b876f5ae19b7
                                            • Instruction Fuzzy Hash: A5417C30D0D6598FEBA5EB2498146F9B7B0FF59351F9401BAD00DE2192CF35AA81CB85
                                            Function 00007FF848E7060A Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1248fa986a027b39cd96765f355a8114110a103a46f4c6163963994272a98537
                                            • Instruction ID: e8349cfd6fed1c95abda9866547a16da7116a8c82c4eb43de00328ef427bdbcd
                                            • Opcode Fuzzy Hash: 1248fa986a027b39cd96765f355a8114110a103a46f4c6163963994272a98537
                                            • Instruction Fuzzy Hash: 7831CE3094E689CFE756FBA8C454BA8BBB1FF47350F0905A9D049D72E2CB79A845CB04
                                            Function 00007FF848E60AB0 Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e5013965d3c7b29311f0605931e075540d24e78f1d230df6726ea256a9ada150
                                            • Instruction ID: 1217f52acf4232d5ae8be251c2ebd8914a938d8eb6e763ccda7b3693e937ffd9
                                            • Opcode Fuzzy Hash: e5013965d3c7b29311f0605931e075540d24e78f1d230df6726ea256a9ada150
                                            • Instruction Fuzzy Hash: 8C31F621F28D195FE788B77C585A3BDA6D2FF98781F544136E00DE3286DE28AC014791
                                            Function 00007FF848E60949 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 235d3d8442801d32f3d574dd2c453de93fe49e79f897ec491127dc860171d023
                                            • Instruction ID: ac254c8768efa474fefe6251dabd5cb59ac203addb6219119b77ffa32c55646e
                                            • Opcode Fuzzy Hash: 235d3d8442801d32f3d574dd2c453de93fe49e79f897ec491127dc860171d023
                                            • Instruction Fuzzy Hash: B631B370A19A1E9FEB48FB7884556FDBBF1FF98300F940479D00AE3286DE3868018754
                                            Function 00007FF848E69B39 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 477ad95a99a2f68fc6b03f7a20b2b7ea369c53eaf18fbdd29a2b6a9a6574595e
                                            • Instruction ID: aae76a0b8aab9eb5fe0d36148708b3cf58e710cb380abaa95268ea560e86713c
                                            • Opcode Fuzzy Hash: 477ad95a99a2f68fc6b03f7a20b2b7ea369c53eaf18fbdd29a2b6a9a6574595e
                                            • Instruction Fuzzy Hash: D331C431A0D6588FEB94FB3898557BD77E1FF99760F5501BAD009D3182DB38A8428741
                                            Function 00007FF848E68689 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c48b3ec7699e6c4af4ea330360d46a95173c4cd4442f18fb5ed4949550915e4
                                            • Instruction ID: dc40b0b627aaa94206de5193f3919f26f4bae47301c21479d24b7404d6a0768b
                                            • Opcode Fuzzy Hash: 1c48b3ec7699e6c4af4ea330360d46a95173c4cd4442f18fb5ed4949550915e4
                                            • Instruction Fuzzy Hash: 3731B330A0D999DFEB46EB38C89A6BC37E1FF56351B4406A6D058C7296CF38B842C745
                                            Function 00007FF848E68985 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fddf0c41dd31a4acd21c8201f51ff2b2b1e492f0bef418f1873d0766e31bdc70
                                            • Instruction ID: 2f529b17d149cdd6e99e056826c86cc040ea7dc419dc0e14a9bc7f29e92fe593
                                            • Opcode Fuzzy Hash: fddf0c41dd31a4acd21c8201f51ff2b2b1e492f0bef418f1873d0766e31bdc70
                                            • Instruction Fuzzy Hash: 4A31E022D1D99A9FE745A7289C221F97FB1FF41290F8401B7D00AE72D7DE2C28478396
                                            Function 00007FF848E70245 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73e771ce2de247b06b70861b8f8f76b18094e3ff354a09c5a7d11ade5aa8b14a
                                            • Instruction ID: 87e4f1f605bcd3d34582abf1ca86f9d1f82dfdbb5bee57388fee05f3b4a81f42
                                            • Opcode Fuzzy Hash: 73e771ce2de247b06b70861b8f8f76b18094e3ff354a09c5a7d11ade5aa8b14a
                                            • Instruction Fuzzy Hash: 6F318D3180DB888FDB59EBA8D885AE9BBF0FF56320F0482AFD049C3552D774A405CB51
                                            Function 00007FF848E62953 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52dd9400dcdafcf4a7a0e7dc06d1062868f94c633752a668a418ff0ae220f6eb
                                            • Instruction ID: 087de0ea88d745d2e80b2c7fa08aa52ca9e430b1bf7cbfa96859767f5c757bb5
                                            • Opcode Fuzzy Hash: 52dd9400dcdafcf4a7a0e7dc06d1062868f94c633752a668a418ff0ae220f6eb
                                            • Instruction Fuzzy Hash: DB21EB62F2C9554FE3A8B62C68152BD66D1FBC9660F84067ED04ED32CBDE286C020395
                                            Function 00007FF848E6ECA2 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6aa6c2354f867537621ae849055155ca6aa10dff2bd7f13d21a8d8c14d6d9554
                                            • Instruction ID: c482ebb380d71df11e4ad03111e093733bb56a4f22c34235ffc910d2152879e1
                                            • Opcode Fuzzy Hash: 6aa6c2354f867537621ae849055155ca6aa10dff2bd7f13d21a8d8c14d6d9554
                                            • Instruction Fuzzy Hash: DE213E71908A4C9FDB68EB99D889BEABBF0FB59321F00422ED04AD3652DB706445CB51
                                            Function 00007FF848E6C469 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 258a454c6dc26b87018115280007a4b41a9d2168326766c0c951d25eee41ee67
                                            • Instruction ID: 59672743503403b56342f89b3d0eea43ac9c97c5c9995a3397536c80150af1ed
                                            • Opcode Fuzzy Hash: 258a454c6dc26b87018115280007a4b41a9d2168326766c0c951d25eee41ee67
                                            • Instruction Fuzzy Hash: E921B231919A498FE744FF28C8516FE7BB1FF46350F8806BAE00AD3296CB35A94087C0
                                            Function 00007FF848E70169 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 393554c5795185a53521e885208fd2c71d72b67c942129e74ebbfb1716873a7a
                                            • Instruction ID: 809640c1f9cc4cdd5dfe75b75d380db0d8f52a7d4dcbd75eb16b918e8d3e00fe
                                            • Opcode Fuzzy Hash: 393554c5795185a53521e885208fd2c71d72b67c942129e74ebbfb1716873a7a
                                            • Instruction Fuzzy Hash: A5215931E4D6DA5FE782B77888156FA3BE5FF8A340F0441B6E489C3183CE2C98428795
                                            Function 00007FF848E70051 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ba5c04a019cbb1086642a69b86180726eb683d89620dc8098132a2b5076f546
                                            • Instruction ID: 1e7a581c0f14e36ff2a7aba326a0cdc3a8a15bb8bb0972736ea899395c032337
                                            • Opcode Fuzzy Hash: 5ba5c04a019cbb1086642a69b86180726eb683d89620dc8098132a2b5076f546
                                            • Instruction Fuzzy Hash: 70212164A2DD5AAFE749B7BC54663B9B7C1FF49740F9401B9E00CC32C3DE28681187A6
                                            Function 00007FF848E6AD85 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a75c4827e941fdc6f50b65cc846441d81171a695d9108f68735606614d544af
                                            • Instruction ID: 04059406d83b0dd890c9eaaec6e3f6b991bfb409806af16addd996f68661e280
                                            • Opcode Fuzzy Hash: 0a75c4827e941fdc6f50b65cc846441d81171a695d9108f68735606614d544af
                                            • Instruction Fuzzy Hash: BA21C034D1DACD8EDB92FB7844541B97BE0FF1A206F4000BAD088E7192EB386895C786
                                            Function 00007FF848E6AEA1 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 874c7aef9710e81d1d7e124fe75138cc638a5ad96eafe8a257b66be4b9ba97ea
                                            • Instruction ID: bc3c6f624a5b615aa537459e7c10bff8cefc3ab4d6a8c5055719cfc538166229
                                            • Opcode Fuzzy Hash: 874c7aef9710e81d1d7e124fe75138cc638a5ad96eafe8a257b66be4b9ba97ea
                                            • Instruction Fuzzy Hash: 2C21CF3094D6898FC742EBA4C815AE97BF0FF8A310B0901EBE048D7152CA3C9846C762
                                            Function 00007FF848E68123 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c63e752abe127daed40590a6b96b9e0a3d30957972fb9c8766fc4f7d67a4442a
                                            • Instruction ID: 3185c124337a2bcfd10d13395c7673c5437bcacd8d9ea10cb19dc4ead9181f51
                                            • Opcode Fuzzy Hash: c63e752abe127daed40590a6b96b9e0a3d30957972fb9c8766fc4f7d67a4442a
                                            • Instruction Fuzzy Hash: DD11C122A2DEAE4FE752F73C58251BD7BA0FF55651F4401B7D048D7293DA246C4683C2
                                            Function 00007FF848E682B1 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04c7c541c77fde347f1161bd52de1df0105db9e64400f4c55ef43872164a0a48
                                            • Instruction ID: 23827783b7badf124d11dfdd0e3573e2819d0ed3cf2fc4ab5457c817946567d7
                                            • Opcode Fuzzy Hash: 04c7c541c77fde347f1161bd52de1df0105db9e64400f4c55ef43872164a0a48
                                            • Instruction Fuzzy Hash: 0C114432D19A9C4FDB40ABA8481A1FD7BF0FF24341F8001A7D008D6196EA3858458781
                                            Function 00007FF848E6DCF5 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e2ba6f786fe056ab1267dd6683cf5c85baf2f2d1da662c503b74cd8312cb663
                                            • Instruction ID: ae0a212384aa217fa85c9cca6757ecf0be5c42b688cb03d87fbaa843a87d96a8
                                            • Opcode Fuzzy Hash: 7e2ba6f786fe056ab1267dd6683cf5c85baf2f2d1da662c503b74cd8312cb663
                                            • Instruction Fuzzy Hash: D9F0F431D0C64D4FE754FE24A8112F9B3A0FB85390F850277D408E3192CF75A8148786
                                            Function 00007FF848E69A7D Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 396b9d01d61909afd8370cb5ea8b9f4c82019ef3373d7a045ce2ffe15dc7d3b2
                                            • Instruction ID: 739a1e01f6085e1fa0dd44f96dcae99c32ded7a38b8366f037c4a7f06320be17
                                            • Opcode Fuzzy Hash: 396b9d01d61909afd8370cb5ea8b9f4c82019ef3373d7a045ce2ffe15dc7d3b2
                                            • Instruction Fuzzy Hash: 02019E5485F6CA5FDB43B77408200A6BFA0AF03290F8805FBE0D9DB093EA5D2519C356
                                            Function 00007FF848E615A1 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70a8b0b4917f5a9bae8590fff4bac1241e2e729e585cd7ae0ad7190fb1dc025c
                                            • Instruction ID: e6bb3161d6dfdb1c5a5171a936c8f05e09b2fc281b637669984e9ad7e573a097
                                            • Opcode Fuzzy Hash: 70a8b0b4917f5a9bae8590fff4bac1241e2e729e585cd7ae0ad7190fb1dc025c
                                            • Instruction Fuzzy Hash: 4801DD10D1C7C50FE342B7382861075BFF0EF92680F8800AEE489D31D7ED28B9458356
                                            Function 00007FF848E68B5D Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e163af424290945eb2ba55aac12caaa2f0ac8c98d8e05b1098a2de0c03bc7316
                                            • Instruction ID: 51ee0033e63fefc8255e59da1294b9e12bd1dfb985a56bb0fcca6d99b4f32512
                                            • Opcode Fuzzy Hash: e163af424290945eb2ba55aac12caaa2f0ac8c98d8e05b1098a2de0c03bc7316
                                            • Instruction Fuzzy Hash: C701AD70E1E91A5EEB4CBB38885A2A47290FF15391F841679D41AD20C2DF2AB81B8295
                                            Function 00007FF848E61CED Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b85838d5a570567320846aa9cfc2adc1e9a1d6660490050900ea3b744c00010
                                            • Instruction ID: 7c84b2ef24450b928ac58dae83587e0bd49f3b7add19896329ae05fa203c3b02
                                            • Opcode Fuzzy Hash: 1b85838d5a570567320846aa9cfc2adc1e9a1d6660490050900ea3b744c00010
                                            • Instruction Fuzzy Hash: DBF0FF11E1E9565FFBA6773854263B82680FF91791F8405BAE009C31CBDF2CBC4683A5
                                            Function 00007FF848E6CC99 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbe5f35fb7d65a7f15278f67b317e8b18be792f04667d9f2cb6cef6d2e04adbb
                                            • Instruction ID: a123537f2e8996feb79455fc3caf21f7e1d556070052ad4505786bf8f23c1a47
                                            • Opcode Fuzzy Hash: fbe5f35fb7d65a7f15278f67b317e8b18be792f04667d9f2cb6cef6d2e04adbb
                                            • Instruction Fuzzy Hash: B1F01730A0861C8FDB98EA58D495ABDB7F1FB99305F0055BED04EF3240CE71A981CB04
                                            Function 00007FF848E6FB7C Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 675e17c25860d5b3ce035fc1840f112a3c0bda60ac78da5fd2fc68d293686866
                                            • Instruction ID: f78a784b62377ed5d63a5d12f9c0a844669d1871843b558cf9c554b746574286
                                            • Opcode Fuzzy Hash: 675e17c25860d5b3ce035fc1840f112a3c0bda60ac78da5fd2fc68d293686866
                                            • Instruction Fuzzy Hash: 09E06831C1CA8C8FD760AA18F8046E8B7A0FF8A309F4400A9E80CD3180CB755908C305
                                            Function 00007FF848E6890C Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5df34f4b4f6e19a68aa4dcda07a17fe93f9c3a42cc9dbcc791fc743d558b5c34
                                            • Instruction ID: 7db1cad2fb387ca4440b137ef4c90ddd97d15d914b105b45eed2dc64ebc780ec
                                            • Opcode Fuzzy Hash: 5df34f4b4f6e19a68aa4dcda07a17fe93f9c3a42cc9dbcc791fc743d558b5c34
                                            • Instruction Fuzzy Hash: AFE0683181C95C8FDB54BA5CA8106E97BA0FBA9358F050069D40CE3181C3355451C746
                                            Function 00007FF848E69AD5 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfba4222ec3dc40dbaa5e3edcef430bf411890aa26bc040d99e0789102dfc4f6
                                            • Instruction ID: 3f097642a227893eec96723036b1e6ab499c451ee3bd030a5c29646f1a7a52a7
                                            • Opcode Fuzzy Hash: cfba4222ec3dc40dbaa5e3edcef430bf411890aa26bc040d99e0789102dfc4f6
                                            • Instruction Fuzzy Hash: 1DE0C27584E7CE0FDB53672848210E9BFB0FF52240FC801DBE498CA093DA6955298392
                                            Function 00007FF848E6131D Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be4fc3a1c9f34bfde023b90d11a65c9fe3fac3b7df67164ce478ab7f6d2d30e9
                                            • Instruction ID: 9a6fe01de8bf7863be7d333dfb1e21fc8232ae2ce3c15c2669b73953bc03a3f6
                                            • Opcode Fuzzy Hash: be4fc3a1c9f34bfde023b90d11a65c9fe3fac3b7df67164ce478ab7f6d2d30e9
                                            • Instruction Fuzzy Hash: B1D05B22B09919195944B3FC24521FCF341EF885F0B501275D11DD21C7DE1954120645
                                            Function 00007FF848E61A1D Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ec9cc1a8deb1bf64ab2e9181a31140c0b898673c8765c1fe4c85d66df2ca93b
                                            • Instruction ID: 45023a3eacff8cc6d580bc65879349ccb5feae4168de52f327892642ba9c4450
                                            • Opcode Fuzzy Hash: 4ec9cc1a8deb1bf64ab2e9181a31140c0b898673c8765c1fe4c85d66df2ca93b
                                            • Instruction Fuzzy Hash: 74E0C22595C7CE0FEB52BA3844220EDBF60FF45140F4504AFE8BC56042CB24B5148382
                                            Function 00007FF848E70040 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9180163a70f486e432104b06aec87dab9f169a7c522432b2417919c492d3b5b9
                                            • Instruction ID: 9a4dfb26505dd28a859438b300b4b4fb90c205c556d6384e08dd4bae0089574e
                                            • Opcode Fuzzy Hash: 9180163a70f486e432104b06aec87dab9f169a7c522432b2417919c492d3b5b9
                                            • Instruction Fuzzy Hash: 59A00204CAB81A09D80831BA1D8709475506B99164FD51560EC08A0186E99E35E906D7

                                            Non-executed Functions

                                            Function 00007FF848E6B4BB Relevance: 3.5, Strings: 2, Instructions: 951COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2301908963.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ehxF3rusxJ.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: _$pN_L
                                            • API String ID: 0-724164147
                                            • Opcode ID: 3b06f2604e27fab814a51b43e86bd8b0171c61ed2ce3d39d772fa24e752196f0
                                            • Instruction ID: 661a1fa2734c8faaf0c1a61ffa0b2efc38c53fca3ca1bf7f20595b6760ff67be
                                            • Opcode Fuzzy Hash: 3b06f2604e27fab814a51b43e86bd8b0171c61ed2ce3d39d772fa24e752196f0
                                            • Instruction Fuzzy Hash: 34529130F2CA059FE758BB38849A279B7D2FF98781F54457AD40DD3292DF38B8418A46