Edit tour

Windows Analysis Report
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Overview

General Information

Sample name:	1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe
Analysis ID:	1591662
MD5:	e55c5a3aa16ed38b9d451601f12527f8
SHA1:	138dc85fb2f213537d673720b52a2c56e1bb0a21
SHA256:	33d5fb4708217397a18bbea3a1e10c07544bb81e642555ff9ae18ffd67c1e436
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe (PID: 2676 cmdline: "C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe" MD5: E55C5A3AA16ED38B9D451601F12527F8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6417:$str01: $VB$Local_Port 0x6408:$str02: $VB$Local_Host 0x670c:$str03: get_Jpeg 0x60c7:$str04: get_ServicePack 0x7156:$str05: Select * from AntivirusProduct 0x7354:$str06: PCRestart 0x7368:$str07: shutdown.exe /f /r /t 0 0x741a:$str08: StopReport 0x73f0:$str09: StopDDos 0x74f2:$str10: sendPlugin 0x769e:$str12: -ExecutionPolicy Bypass -File " 0x77c7:$str13: Content-length: 5235
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ad1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7be6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76e2:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7834:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x78d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x79e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x74e2:$cnc4: POST / HTTP/1.1
Process Memory Space: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe PID: 2676	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6417:$str01: $VB$Local_Port 0x6408:$str02: $VB$Local_Host 0x670c:$str03: get_Jpeg 0x60c7:$str04: get_ServicePack 0x7156:$str05: Select * from AntivirusProduct 0x7354:$str06: PCRestart 0x7368:$str07: shutdown.exe /f /r /t 0 0x741a:$str08: StopReport 0x73f0:$str09: StopDDos 0x74f2:$str10: sendPlugin 0x769e:$str12: -ExecutionPolicy Bypass -File " 0x77c7:$str13: Content-length: 5235
0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ad1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7be6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76e2:$cnc4: POST / HTTP/1.1

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T09:13:53.806970+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	50040	87.120.116.179	1300	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Virustotal: Detection: 70%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	String decryptor: 87.120.116.179
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	String decryptor: 1300
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	String decryptor: <123456789>
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	String decryptor: 14-01-25
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	String decryptor: USB.exe

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49890 -> 87.120.116.179:1300
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50040 -> 87.120.116.179:1300

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.116.179

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 87.120.116.179:1300

Source: Joe Sandbox View

IP Address: 87.120.116.179 87.120.116.179

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002801000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Code function: 0_2_00007FFD9B8A6726		0_2_00007FFD9B8A6726
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Code function: 0_2_00007FFD9B8A74D2		0_2_00007FFD9B8A74D2

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000000.1676018881.000000000056C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebarsill.exe4 vs 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Binary or memory string: OriginalFilenamebarsill.exe4 vs 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\CKIfAznTYvqcKR6Q

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Code function: 0_2_00007FFD9B8A2A14 push eax; iretd		0_2_00007FFD9B8A2A21
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Code function: 0_2_00007FFD9B8A29D4 pushad ; retf		0_2_00007FFD9B8A29E1

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Memory allocated: EA0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Memory allocated: 1A800000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Window / User API: threadDelayed 643			Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	Window / User API: threadDelayed 9219			Jump to behavior

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe TID: 5924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe TID: 3624	Thread sleep count: 643 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe TID: 3624	Thread sleep count: 9219 > 30	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4148045906.000000001B750000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleP

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4148045906.000000001B79E000.00000004.00000020.00020000.00000000.sdmp, 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4148045906.000000001B77B000.00000004.00000020.00020000.00000000.sdmp, 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145238038.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4148045906.000000001B750000.00000004.00000020.00020000.00000000.sdmp, 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145238038.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145238038.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe PID: 2676, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe PID: 2676, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	232 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	232 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	70%	Virustotal		Browse
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	100%	Avira	TR/Spy.Gen
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
87.120.116.179	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
87.120.116.179	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe, 00000000.00000002.4145776967.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.116.179	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591662
Start date and time:	2025-01-15 09:10:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:11:25	API Interceptor	14635907x Sleep call for process: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
87.120.116.179	17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	Order Drawing.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	87.120.116.245
	Material Requirments.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	87.120.116.245
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	87.120.127.120
	5tCuNr661k.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	5tCuNr661k.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	shaLnqmyTS.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	shaLnqmyTS.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	zAGUEDGSTM.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse	87.120.116.187
	C5Zr4LSzmp.exe	Get hash	malicious	RedLine	Browse	87.120.120.86

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.61029561035472
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe
File size:	36'864 bytes
MD5:	e55c5a3aa16ed38b9d451601f12527f8
SHA1:	138dc85fb2f213537d673720b52a2c56e1bb0a21
SHA256:	33d5fb4708217397a18bbea3a1e10c07544bb81e642555ff9ae18ffd67c1e436
SHA512:	a6cc4101f5c96c1c1caeee4a9559d6dd5a854ad94fa3716ddbb582f551a0efe65ffd38a5949edab28bcdc1bedce1a02fc8770fecdd518389c5ec8690c6418f9a
SSDEEP:	768:sL13A5Uno9RfHWa2B71eo8icH1bxbFb9EcOMh2iQXvq7G:axA5Uno9JHWXZeNicH1bBFb9EcOMh6c
TLSH:	1BF24C48BBE04216D9ED6BF5A97372020674EA13D917EB4E4CD486D76F23BC48D013EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+~.g................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a5ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67867E2B [Tue Jan 14 15:09:31 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa594	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x85f4	0x8600	429e81b8d907e20edb5fdf52b0b36a8b	False	0.49900886194029853	data	5.746024050874507	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d8	0x600	6a547f450a0f60a48827df85c9b55492	False	0.373046875	data	3.7131519772371093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	fd3ac7fbb8a34dc91e775b7c64e87bbc	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x244	data			0.4689655172413793
RT_MANIFEST	0xc2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T09:12:43.622709+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49890	87.120.116.179	1300	TCP
2025-01-15T09:13:53.806970+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	50040	87.120.116.179	1300	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 09:11:27.372426033 CET	49730	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:27.378460884 CET	1300	49730	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:27.378551006 CET	49730	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:27.554054022 CET	49730	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:27.558979034 CET	1300	49730	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:28.991770029 CET	1300	49730	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:28.991851091 CET	49730	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:31.126369953 CET	49730	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:31.129329920 CET	49731	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:31.131396055 CET	1300	49730	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:31.134196997 CET	1300	49731	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:31.134284973 CET	49731	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:31.166663885 CET	49731	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:31.171686888 CET	1300	49731	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:32.757523060 CET	1300	49731	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:32.757591963 CET	49731	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:34.478657007 CET	49731	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:34.481096029 CET	49732	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:34.484090090 CET	1300	49731	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:34.486813068 CET	1300	49732	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:34.486881971 CET	49732	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:34.599781036 CET	49732	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:34.607364893 CET	1300	49732	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:36.101310968 CET	1300	49732	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:36.101475000 CET	49732	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:40.102502108 CET	49732	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:40.105511904 CET	49733	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:40.107400894 CET	1300	49732	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:40.110323906 CET	1300	49733	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:40.110393047 CET	49733	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:40.142272949 CET	49733	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:40.147046089 CET	1300	49733	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:41.727771044 CET	1300	49733	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:41.727833033 CET	49733	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:43.462066889 CET	49733	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:43.464976072 CET	49739	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:43.466957092 CET	1300	49733	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:43.469855070 CET	1300	49739	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:43.469968081 CET	49739	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:43.490180016 CET	49739	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:43.495085001 CET	1300	49739	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:45.087687969 CET	1300	49739	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:45.087785959 CET	49739	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:46.760505915 CET	49739	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:46.763087034 CET	49741	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:46.765521049 CET	1300	49739	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:46.768079996 CET	1300	49741	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:46.768148899 CET	49741	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:46.818254948 CET	49741	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:46.823156118 CET	1300	49741	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:48.400130033 CET	1300	49741	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:48.400332928 CET	49741	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:51.055583954 CET	49741	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:51.056344986 CET	49742	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:51.191715956 CET	1300	49741	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:51.191735983 CET	1300	49742	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:51.191910028 CET	49742	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:51.209347010 CET	49742	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:51.215473890 CET	1300	49742	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:52.836618900 CET	1300	49742	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:52.836757898 CET	49742	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:55.774369955 CET	49742	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:55.776415110 CET	49743	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:55.779469013 CET	1300	49742	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:55.781332016 CET	1300	49743	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:55.781414986 CET	49743	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:55.877687931 CET	49743	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:11:55.882630110 CET	1300	49743	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:57.418489933 CET	1300	49743	87.120.116.179	192.168.2.4
Jan 15, 2025 09:11:57.418561935 CET	49743	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:00.227720022 CET	49743	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:00.228693962 CET	49744	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:00.232695103 CET	1300	49743	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:00.233647108 CET	1300	49744	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:00.233753920 CET	49744	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:00.248869896 CET	49744	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:00.253823996 CET	1300	49744	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:01.836678028 CET	1300	49744	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:01.837066889 CET	49744	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:04.086918116 CET	49744	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:04.087646961 CET	49745	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:04.092056036 CET	1300	49744	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:04.092581034 CET	1300	49745	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:04.092670918 CET	49745	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:04.108171940 CET	49745	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:04.113097906 CET	1300	49745	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:05.712301016 CET	1300	49745	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:05.715404034 CET	49745	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:07.211812973 CET	49745	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:07.213484049 CET	49746	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:07.216819048 CET	1300	49745	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:07.218379021 CET	1300	49746	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:07.218455076 CET	49746	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:07.235232115 CET	49746	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:07.240144014 CET	1300	49746	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:08.857494116 CET	1300	49746	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:08.857595921 CET	49746	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:10.055562019 CET	49746	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:10.056494951 CET	49747	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:10.060460091 CET	1300	49746	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:10.061408997 CET	1300	49747	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:10.061503887 CET	49747	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:10.077805042 CET	49747	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:10.082772017 CET	1300	49747	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:11.663978100 CET	1300	49747	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:11.664081097 CET	49747	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:13.024411917 CET	49747	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:13.025238037 CET	49748	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:13.029299021 CET	1300	49747	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:13.030034065 CET	1300	49748	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:13.031343937 CET	49748	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:13.049294949 CET	49748	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:13.054116964 CET	1300	49748	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:14.649755001 CET	1300	49748	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:14.650041103 CET	49748	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:15.711850882 CET	49748	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:15.712624073 CET	49749	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:15.716844082 CET	1300	49748	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:15.717519045 CET	1300	49749	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:15.717617989 CET	49749	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:15.733208895 CET	49749	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:15.738274097 CET	1300	49749	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:17.321326971 CET	1300	49749	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:17.321402073 CET	49749	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:17.853326082 CET	49749	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:17.854227066 CET	49750	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:17.858289003 CET	1300	49749	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:17.859126091 CET	1300	49750	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:17.859189034 CET	49750	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:17.875582933 CET	49750	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:17.880482912 CET	1300	49750	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:19.491477013 CET	1300	49750	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:19.491673946 CET	49750	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:19.493117094 CET	49750	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:19.493957996 CET	49752	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:19.499443054 CET	1300	49750	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:19.499455929 CET	1300	49752	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:19.499528885 CET	49752	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:19.515995979 CET	49752	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:19.521194935 CET	1300	49752	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:21.121891022 CET	1300	49752	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:21.122006893 CET	49752	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:21.930711031 CET	49752	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:21.931535959 CET	49759	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:21.938808918 CET	1300	49752	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:21.939742088 CET	1300	49759	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:21.945319891 CET	49759	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:21.956599951 CET	49759	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:21.964807987 CET	1300	49759	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:23.555277109 CET	1300	49759	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:23.555721998 CET	49759	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:23.621656895 CET	49759	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:23.623259068 CET	49770	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:23.626519918 CET	1300	49759	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:23.628412962 CET	1300	49770	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:23.628499985 CET	49770	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:23.647238016 CET	49770	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:23.652173042 CET	1300	49770	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:25.225086927 CET	1300	49770	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:25.225220919 CET	49770	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:25.462804079 CET	49770	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:25.464334965 CET	49781	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:25.468173027 CET	1300	49770	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:25.469616890 CET	1300	49781	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:25.469840050 CET	49781	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:25.496517897 CET	49781	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:25.501558065 CET	1300	49781	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:27.086467981 CET	1300	49781	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:27.086534023 CET	49781	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:27.086916924 CET	49781	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:27.087747097 CET	49792	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:27.091722965 CET	1300	49781	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:27.092490911 CET	1300	49792	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:27.092567921 CET	49792	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:27.108274937 CET	49792	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:27.113025904 CET	1300	49792	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:28.692400932 CET	1300	49792	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:28.694753885 CET	49792	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:28.696317911 CET	49792	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:28.698059082 CET	49803	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:28.701400042 CET	1300	49792	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:28.702874899 CET	1300	49803	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:28.702976942 CET	49803	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:28.737596035 CET	49803	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:28.742733002 CET	1300	49803	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:30.325632095 CET	1300	49803	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:30.326153994 CET	49803	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:30.326242924 CET	49803	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:30.328021049 CET	49814	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:30.331126928 CET	1300	49803	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:30.332969904 CET	1300	49814	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:30.333093882 CET	49814	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:30.347276926 CET	49814	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:30.352200985 CET	1300	49814	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:31.965558052 CET	1300	49814	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:31.965619087 CET	49814	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:35.789272070 CET	49814	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:35.793149948 CET	49849	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:35.794249058 CET	1300	49814	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:35.798152924 CET	1300	49849	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:35.798230886 CET	49849	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:36.517352104 CET	49849	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:36.522150040 CET	1300	49849	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:37.398272038 CET	1300	49849	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:37.398371935 CET	49849	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:41.950855970 CET	49849	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:41.955705881 CET	1300	49849	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:42.010380030 CET	49890	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:42.016522884 CET	1300	49890	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:42.016619921 CET	49890	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:42.654637098 CET	49890	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:42.659574032 CET	1300	49890	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:43.622709036 CET	49890	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:43.627727032 CET	1300	49890	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:43.635324955 CET	1300	49890	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:43.635379076 CET	49890	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.727534056 CET	49890	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.728871107 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.732486010 CET	1300	49890	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:47.733700991 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:47.733809948 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.772983074 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.777801991 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:47.790491104 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.795373917 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:47.806421041 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.811196089 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:47.821744919 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.827415943 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:47.977875948 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:47.982773066 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:49.317513943 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:49.320544958 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:53.089401007 CET	49928	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:53.089401960 CET	49964	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:53.094532013 CET	1300	49928	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:53.094577074 CET	1300	49964	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:53.095474958 CET	49964	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:53.241395950 CET	49964	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:53.246440887 CET	1300	49964	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:54.712706089 CET	1300	49964	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:54.713529110 CET	49964	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:58.321788073 CET	49964	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:58.324400902 CET	49998	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:58.328712940 CET	1300	49964	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:58.331233025 CET	1300	49998	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:58.331293106 CET	49998	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:58.368153095 CET	49998	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:58.373022079 CET	1300	49998	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:58.416203022 CET	49998	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:12:58.421117067 CET	1300	49998	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:59.931384087 CET	1300	49998	87.120.116.179	192.168.2.4
Jan 15, 2025 09:12:59.931444883 CET	49998	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:03.587595940 CET	49998	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:03.590637922 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:03.592523098 CET	1300	49998	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:03.595489025 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:03.595551968 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:03.963692904 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:03.968868017 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:04.009154081 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:04.014167070 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:04.134047031 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:04.139098883 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:04.149833918 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:04.154644966 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:04.165210962 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:04.170073986 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:05.228374958 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:05.231388092 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:09.165225029 CET	50031	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:09.169452906 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:09.170222044 CET	1300	50031	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:09.174474955 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:09.174679995 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:09.510845900 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:09.515654087 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:09.590082884 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:09.595005989 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.024661064 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.029604912 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.040281057 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.045097113 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.071686983 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.076580048 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.102854013 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.107781887 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.149866104 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.154782057 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.196680069 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.201777935 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.274775028 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.279818058 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.368717909 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.373833895 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.477782011 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:10.482846022 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.810404062 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:10.810484886 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:15.528569937 CET	50032	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:15.533646107 CET	1300	50032	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:15.598206997 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:15.603218079 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:15.603301048 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:15.707066059 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:15.711927891 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:15.899887085 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:15.904994965 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:16.071846008 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:16.077069044 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:16.118916988 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:16.124059916 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:17.214648008 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:17.214946985 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:21.165808916 CET	50033	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:21.166963100 CET	50034	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:21.170793056 CET	1300	50033	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:21.171989918 CET	1300	50034	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:21.172059059 CET	50034	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:21.676728010 CET	50034	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:21.681693077 CET	1300	50034	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:22.009017944 CET	50034	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:22.014447927 CET	1300	50034	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:22.795185089 CET	1300	50034	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:22.795608044 CET	50034	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:27.041676998 CET	50034	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:27.043875933 CET	50035	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:27.046571970 CET	1300	50034	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:27.048691988 CET	1300	50035	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:27.048778057 CET	50035	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:27.128488064 CET	50035	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:27.133514881 CET	1300	50035	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:28.667704105 CET	1300	50035	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:28.668138027 CET	50035	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.446404934 CET	50035	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.448735952 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.451380014 CET	1300	50035	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:32.453620911 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:32.453680992 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.483774900 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.488663912 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:32.508966923 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.513839006 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:32.587188005 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:32.592155933 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:33.153486967 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:33.158356905 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:34.074103117 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:34.074158907 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.633907080 CET	50036	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.638801098 CET	1300	50036	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.639056921 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.643958092 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.644025087 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.701888084 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.706998110 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.712184906 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.717081070 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.790556908 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.795558929 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.899947882 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.905227900 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.931267023 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.936439991 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.946702003 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.951617956 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:37.962522984 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:37.967444897 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:38.118571043 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:38.124499083 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:38.134293079 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:38.139246941 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:38.166065931 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:38.171192884 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:38.196597099 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:38.201925993 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:39.262011051 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:39.265594959 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:43.213042021 CET	50037	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:43.213043928 CET	50038	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:43.217875004 CET	1300	50037	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:43.217896938 CET	1300	50038	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:43.221673965 CET	50038	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:43.295964956 CET	50038	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:43.300812960 CET	1300	50038	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:44.818599939 CET	1300	50038	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:44.825542927 CET	50038	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.415252924 CET	50038	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.417439938 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.420192957 CET	1300	50038	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:48.422350883 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:48.422472954 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.454458952 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.459347010 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:48.571595907 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.576392889 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:48.587323904 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.592088938 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:48.602776051 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:48.607629061 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:50.045017004 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:50.045120001 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.743345022 CET	50039	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.745790005 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.748260975 CET	1300	50039	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.750577927 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.750627041 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.784024000 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.788794041 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.806969881 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.811800957 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.931050062 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.937516928 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.946527004 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.951355934 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.962106943 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.966900110 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.977891922 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.993199110 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:53.993627071 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:53.998424053 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:55.373446941 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:55.379534960 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:59.008913994 CET	50040	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:59.013931990 CET	1300	50040	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:59.019378901 CET	50041	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:59.024282932 CET	1300	50041	87.120.116.179	192.168.2.4
Jan 15, 2025 09:13:59.024502993 CET	50041	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:59.100131035 CET	50041	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:13:59.105037928 CET	1300	50041	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:00.656188011 CET	1300	50041	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:00.656259060 CET	50041	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:04.337244987 CET	50041	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:04.340270042 CET	50042	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:04.342097044 CET	1300	50041	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:04.345119953 CET	1300	50042	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:04.345177889 CET	50042	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:04.377809048 CET	50042	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:04.382575989 CET	1300	50042	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:05.915486097 CET	50042	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:05.920267105 CET	1300	50042	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:05.964879036 CET	1300	50042	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:05.964930058 CET	50042	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:09.451441050 CET	50042	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:09.453535080 CET	50043	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:09.456248045 CET	1300	50042	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:09.458405972 CET	1300	50043	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:09.459345102 CET	50043	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:09.553527117 CET	50043	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:09.558377028 CET	1300	50043	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:11.097469091 CET	1300	50043	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:11.097616911 CET	50043	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:14.572071075 CET	50043	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:14.574270010 CET	50044	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:14.576958895 CET	1300	50043	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:14.579134941 CET	1300	50044	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:14.579188108 CET	50044	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:14.622627974 CET	50044	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:14.627712965 CET	1300	50044	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:14.650012970 CET	50044	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:14.655163050 CET	1300	50044	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:16.215631008 CET	1300	50044	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:16.215718985 CET	50044	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:19.884226084 CET	50044	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:19.886231899 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:19.889121056 CET	1300	50044	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:19.891092062 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:19.891155958 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:19.926075935 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:19.930946112 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:20.009244919 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:20.014203072 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:20.040551901 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:20.045588017 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:20.149877071 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:20.155119896 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:20.165575027 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:20.170368910 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:20.196850061 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:20.201797962 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:20.212332964 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:20.217251062 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:21.510719061 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:21.513628960 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:25.246085882 CET	50046	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:25.246088982 CET	50045	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:25.251101017 CET	1300	50046	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:25.251219034 CET	50046	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:25.251251936 CET	1300	50045	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:25.397547007 CET	50046	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:25.402715921 CET	1300	50046	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:25.416037083 CET	50046	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:25.420993090 CET	1300	50046	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:26.852793932 CET	1300	50046	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:26.852864027 CET	50046	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.431322098 CET	50046	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.433958054 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.436289072 CET	1300	50046	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:30.438792944 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:30.438847065 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.478857994 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.483864069 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:30.509377956 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.514410019 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:30.524734020 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.529565096 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:30.571938038 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.576816082 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:30.587471008 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:30.592339039 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:32.075443983 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:32.075537920 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:35.628585100 CET	50047	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:35.631489992 CET	50048	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:35.633541107 CET	1300	50047	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:35.636425018 CET	1300	50048	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:35.640127897 CET	50048	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:35.772634029 CET	50048	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:35.777564049 CET	1300	50048	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:37.262543917 CET	1300	50048	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:37.267666101 CET	50048	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:40.899627924 CET	50048	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:40.901622057 CET	50049	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:40.904521942 CET	1300	50048	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:40.906512022 CET	1300	50049	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:40.906608105 CET	50049	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:40.993453979 CET	50049	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:41.003720999 CET	1300	50049	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:41.181613922 CET	50049	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:41.186614990 CET	1300	50049	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:42.526614904 CET	1300	50049	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:42.526691914 CET	50049	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.587189913 CET	50049	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.589759111 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.592358112 CET	1300	50049	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:46.594676018 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:46.594733953 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.624795914 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.629736900 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:46.634140968 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.639015913 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:46.649909019 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.654690027 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:46.665425062 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:46.670316935 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:48.198998928 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:48.199062109 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:51.665616989 CET	50050	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:51.669635057 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:51.670603037 CET	1300	50050	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:51.674573898 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:51.674757957 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:52.027767897 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:52.032778978 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:52.259303093 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:52.264374018 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:52.274844885 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:52.279740095 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:52.290482044 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:52.295346022 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:52.353164911 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:52.358098984 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:53.327795029 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:53.328502893 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:57.417649984 CET	50051	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:57.417678118 CET	50052	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:57.423029900 CET	1300	50051	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:57.423063993 CET	1300	50052	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:57.423213005 CET	50052	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:57.633774042 CET	50052	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:14:57.638775110 CET	1300	50052	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:59.058588982 CET	1300	50052	87.120.116.179	192.168.2.4
Jan 15, 2025 09:14:59.061748028 CET	50052	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:02.665721893 CET	50052	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:02.669795990 CET	50053	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:02.670763016 CET	1300	50052	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:02.674724102 CET	1300	50053	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:02.674787045 CET	50053	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:02.942900896 CET	50053	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:02.948539972 CET	1300	50053	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:04.309691906 CET	1300	50053	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:04.309753895 CET	50053	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:08.509079933 CET	50053	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:08.510853052 CET	50054	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:08.514225960 CET	1300	50053	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:08.515783072 CET	1300	50054	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:08.515839100 CET	50054	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:08.546190977 CET	50054	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:08.551194906 CET	1300	50054	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:10.118868113 CET	1300	50054	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:10.118935108 CET	50054	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:13.557837009 CET	50054	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:13.566327095 CET	1300	50054	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:13.624083996 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:13.632549047 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:13.633188009 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:13.889065981 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:13.894709110 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:14.009272099 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:14.014209032 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:14.087404966 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:14.092749119 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:14.166090012 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:14.170964956 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:14.196923018 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:14.201792955 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:14.212555885 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:14.217406034 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:14.243714094 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:14.248610020 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:15.248158932 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:15.248402119 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:19.263015985 CET	50055	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:19.268578053 CET	1300	50055	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:19.279263020 CET	50056	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:19.284738064 CET	1300	50056	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:19.285535097 CET	50056	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:19.629690886 CET	50056	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:19.635418892 CET	1300	50056	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:19.713120937 CET	50056	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:19.718296051 CET	1300	50056	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:20.887458086 CET	1300	50056	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:20.888365030 CET	50056	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:24.809166908 CET	50056	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:24.811681032 CET	50057	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:24.814116955 CET	1300	50056	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:24.816596031 CET	1300	50057	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:24.816664934 CET	50057	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:24.901710033 CET	50057	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:24.906640053 CET	1300	50057	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:26.435930014 CET	1300	50057	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:26.436027050 CET	50057	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.165416956 CET	50057	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.167146921 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.170470953 CET	1300	50057	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:30.172113895 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:30.172179937 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.202174902 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.207076073 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:30.431210041 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.436106920 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:30.446728945 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.451787949 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:30.478005886 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.482943058 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:30.509265900 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:30.514208078 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:31.212764025 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:31.217854023 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:31.830063105 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:31.836990118 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:36.212246895 CET	50058	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:36.212825060 CET	50059	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:36.217237949 CET	1300	50058	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:36.217700005 CET	1300	50059	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:36.217766047 CET	50059	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:36.245088100 CET	50059	1300	192.168.2.4	87.120.116.179
Jan 15, 2025 09:15:36.250811100 CET	1300	50059	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:37.824892044 CET	1300	50059	87.120.116.179	192.168.2.4
Jan 15, 2025 09:15:37.832911968 CET	50059	1300	192.168.2.4	87.120.116.179

Analysis Process: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exePID: 2676, Parent PID: 2580

General

Target ID:	0
Start time:	03:11:22
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe"
Imagebase:	0x560000
File size:	36'864 bytes
MD5 hash:	E55C5A3AA16ED38B9D451601F12527F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1675986502.0000000000562000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exePID: 2676, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8A6726 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4149638068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6633061daf9e1dd4fdc6a1b05dfc4f07d3191543cb28b16872bcb337d804d14
Instruction ID: 19a20560a361c85f3dce29a3cccbcfc23f7570aada45f485287f230df342d1d7
Opcode Fuzzy Hash: c6633061daf9e1dd4fdc6a1b05dfc4f07d3191543cb28b16872bcb337d804d14
Instruction Fuzzy Hash: 1BF1D970A0DA8D8FEBA8DF28C8557E977E1FF58310F04426ED84DC7295DB34A9458B81

Function 00007FFD9B8A74D2 Relevance: .5, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4149638068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be268f4941d996031a60b71d84c68872280a0b85b0914c7773235bbc35c251bb
Instruction ID: 4ea47b73e7adf49eb76a4bd48e35225b939949c7655f030f9a42e452a4e021cb
Opcode Fuzzy Hash: be268f4941d996031a60b71d84c68872280a0b85b0914c7773235bbc35c251bb
Instruction Fuzzy Hash: DDE1C530A09A8D8FEBA8DF28C8657E977D1FF58310F14426ED84DC72A5DF74A9418781

Function 00007FFD9B8A1BF8 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B8A1CC1

Memory Dump Source

Source File: 00000000.00000002.4149638068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c46939344a0a64b884d874f9d7b74469e2b766d89859db487ff307cda3ed5242
Instruction ID: a78337e7cffbf1a101f511d47b8a0cb276ef1c60e4367180261b453303ed9585
Opcode Fuzzy Hash: c46939344a0a64b884d874f9d7b74469e2b766d89859db487ff307cda3ed5242
Instruction Fuzzy Hash: AF411630A0CA5D4FDB1CEB6C98166F97BE1EF5A321F00427ED049C3292DE64A852C7C1

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

Windows Analysis Report
1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exe

Function 00007FFD9B8A6726 Relevance: .5, Instructions: 472
COMMON

Function 00007FFD9B8A74D2 Relevance: .5, Instructions: 458
COMMON

Function 00007FFD9B8A1BF8 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON