Create Interactive Tour

Windows Analysis Report
17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe

Overview

General Information

Sample name:17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe
Analysis ID:1598374
MD5:648c182e090bbda47f228fb15eaa7daa
SHA1:5c6b5a0f89b91cee34112357979202633b787490
SHA256:ba2596817b32f9dfc9358119e4a294b5673cefe55b991ce49d94f36b79c7268a
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
{
  "C2 url": [
    "85.31.47.24"
  ],
  "Port": 1888,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6417:$str01: $VB$Local_Port
    • 0x6408:$str02: $VB$Local_Host
    • 0x670c:$str03: get_Jpeg
    • 0x60c7:$str04: get_ServicePack
    • 0x7156:$str05: Select * from AntivirusProduct
    • 0x7354:$str06: PCRestart
    • 0x7368:$str07: shutdown.exe /f /r /t 0
    • 0x741a:$str08: StopReport
    • 0x73f0:$str09: StopDDos
    • 0x74f2:$str10: sendPlugin
    • 0x769e:$str12: -ExecutionPolicy Bypass -File "
    • 0x77c7:$str13: Content-length: 5235
    17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7ad1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7be6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76e2:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7834:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74e2:$cnc4: POST / HTTP/1.1
      Process Memory Space: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe PID: 2300JoeSecurity_XWormYara detected XWormJoe Security
        SourceRuleDescriptionAuthorStrings
        0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x6417:$str01: $VB$Local_Port
          • 0x6408:$str02: $VB$Local_Host
          • 0x670c:$str03: get_Jpeg
          • 0x60c7:$str04: get_ServicePack
          • 0x7156:$str05: Select * from AntivirusProduct
          • 0x7354:$str06: PCRestart
          • 0x7368:$str07: shutdown.exe /f /r /t 0
          • 0x741a:$str08: StopReport
          • 0x73f0:$str09: StopDDos
          • 0x74f2:$str10: sendPlugin
          • 0x769e:$str12: -ExecutionPolicy Bypass -File "
          • 0x77c7:$str13: Content-length: 5235
          0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x7a34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x7ad1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x7be6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x76e2:$cnc4: POST / HTTP/1.1
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-24T08:02:54.395678+010028531931Malware Command and Control Activity Detected192.168.2.55001985.31.47.241888TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeAvira: detected
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["85.31.47.24"], "Port": 1888, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeVirustotal: Detection: 72%Perma Link
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeReversingLabs: Detection: 84%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeJoe Sandbox ML: detected
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeString decryptor: 85.31.47.24
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeString decryptor: 1888
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeString decryptor: <123456789>
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeString decryptor: <Xwormmm>
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeString decryptor: 01-10-2025
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeString decryptor: USB.exe
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49994 -> 85.31.47.24:1888
          Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50019 -> 85.31.47.24:1888
          Source: Malware configuration extractorURLs: 85.31.47.24
          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 85.31.47.24:1888
          Source: Joe Sandbox ViewASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: unknownTCP traffic detected without corresponding DNS query: 85.31.47.24
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4584307131.0000000002611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

          System Summary

          barindex
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E967260_2_00007FF848E96726
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E974D20_2_00007FF848E974D2
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E962290_2_00007FF848E96229
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000000.2124466815.000000000022C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeBinary or memory string: OriginalFilenameXClient.exe4 vs 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMutant created: NULL
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\KYDPmLKQ1YuSniXQ
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeVirustotal: Detection: 72%
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeReversingLabs: Detection: 84%
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, Messages.cs.Net Code: Memory
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E92963 pushad ; retf 0_2_00007FF848E929E1
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E91715 push 8BE95C99h; retf 0_2_00007FF848E91752
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E928FA pushad ; retf 0_2_00007FF848E929E1
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeCode function: 0_2_00007FF848E929FA push eax; iretd 0_2_00007FF848E92A21
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMemory allocated: 850000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMemory allocated: 1A610000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWindow / User API: threadDelayed 8942Jump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWindow / User API: threadDelayed 870Jump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe TID: 2316Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe TID: 1788Thread sleep count: 8942 > 30Jump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe TID: 1788Thread sleep count: 870 > 30Jump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4585798294.000000001B5D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeProcess token adjusted: DebugJump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4585798294.000000001B61A000.00000004.00000020.00020000.00000000.sdmp, 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4585798294.000000001B660000.00000004.00000020.00020000.00000000.sdmp, 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4585798294.000000001B62A000.00000004.00000020.00020000.00000000.sdmp, 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4585798294.000000001B5D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe PID: 2300, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe.220000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe PID: 2300, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          1
          Input Capture
          221
          Security Software Discovery
          Remote Services1
          Input Capture
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
          Virtualization/Sandbox Evasion
          LSASS Memory1
          Process Discovery
          Remote Desktop Protocol11
          Archive Collected Data
          1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information
          Security Account Manager232
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Software Packing
          LSA Secrets13
          System Information Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1598374 Sample: 17377014056a69536ab12b0f859... Startdate: 24/01/2025 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 10 other signatures 2->17 5 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe 2 2->5         started        process3 dnsIp4 9 85.31.47.24, 1888, 49704, 49706 CLOUDCOMPUTINGDE Germany 5->9 19 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 5->19 21 Found potential dummy code loops (likely to delay analysis) 5->21 signatures5

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe72%VirustotalBrowse
          17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
          17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe100%AviraTR/Spy.Gen
          17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          85.31.47.240%Avira URL Cloudsafe

          Download Network PCAP: filteredfull

          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          85.31.47.24true
          • Avira URL Cloud: safe
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe, 00000000.00000002.4584307131.0000000002611000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            85.31.47.24
            unknownGermany
            43659CLOUDCOMPUTINGDEtrue
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1598374
            Start date and time:2025-01-24 07:58:29 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 26s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:4
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 4
            • Number of non-executed functions: 1
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption
            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            TimeTypeDescription
            01:59:32API Interceptor13722437x Sleep call for process: 17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe modified
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            85.31.47.241737701404fa7085385bfb79cbd0d6f35547f75f57270f2f6ee97e206b79cdebcd0ddf2d49957.dat-decoded.exeGet hashmaliciousXWormBrowse
              1737093845fa524ebf195ac8a9f4732d7ce215bdebbbcad650b27a4f718c7cf3432f4a94fc618.dat-decoded.exeGet hashmaliciousXWormBrowse
                17370524479f15d0891d2a1787b99e1cc15981f0e6b8193a68e4b415d1a054aa4ccae688ea843.dat-decoded.exeGet hashmaliciousXWormBrowse
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDCOMPUTINGDE1737701404fa7085385bfb79cbd0d6f35547f75f57270f2f6ee97e206b79cdebcd0ddf2d49957.dat-decoded.exeGet hashmaliciousXWormBrowse
                  • 85.31.47.24
                  1737093845fa524ebf195ac8a9f4732d7ce215bdebbbcad650b27a4f718c7cf3432f4a94fc618.dat-decoded.exeGet hashmaliciousXWormBrowse
                  • 85.31.47.24
                  17370524479f15d0891d2a1787b99e1cc15981f0e6b8193a68e4b415d1a054aa4ccae688ea843.dat-decoded.exeGet hashmaliciousXWormBrowse
                  • 85.31.47.24
                  New Order Inquiry.exeGet hashmaliciousRemcosBrowse
                  • 80.76.51.19
                  file.exeGet hashmaliciousDarkVision RatBrowse
                  • 85.31.47.116
                  Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                  • 85.31.47.116
                  same.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                  • 80.76.51.73
                  onlysteal.exeGet hashmaliciousDCRatBrowse
                  • 185.216.71.25
                  WC2SD38tcf.exeGet hashmaliciousStealcBrowse
                  • 185.216.71.4
                  hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 185.216.71.152
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.6106871128051745
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe
                  File size:36'864 bytes
                  MD5:648c182e090bbda47f228fb15eaa7daa
                  SHA1:5c6b5a0f89b91cee34112357979202633b787490
                  SHA256:ba2596817b32f9dfc9358119e4a294b5673cefe55b991ce49d94f36b79c7268a
                  SHA512:2dcd49dde2294b6b41c90befda6144bcbae610d660d51b009770fcc2edd923bbb078dde9b569d76ea4fd5ffa9c3072ff66dedae52fc7e1da27d13516890597f5
                  SSDEEP:768:zL13A5Uno9RfHWa2B71eo8icHyEWbFb9Y2OMhrQXvc:nxA5Uno9JHWXZeNicHyESFb9Y2OMd6c
                  TLSH:1EF23B48BBE04216D9ED6BF5A97372020674E613D917EB4E4CD489DB6F23BC48D013EA
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,.g................................. ........@.. ....................................@................................
                  Icon Hash:00928e8e8686b000
                  Entrypoint:0x40a5ee
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x67812CC5 [Fri Jan 10 14:20:53 2025 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa5940x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x85f40x8600db2ff666e083fef9bd4292ece46d2ef1False0.49889225746268656data5.746292575645731IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xc0000x4d80x6002472af5ddbb53779b7381f16b8b9407bFalse0.3756510416666667data3.7216503306685733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xe0000xc0x200fd3ac7fbb8a34dc91e775b7c64e87bbcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0xc0a00x244data0.4724137931034483
                  RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                  DLLImport
                  mscoree.dll_CorExeMain

                  Download Network PCAP: filteredfull

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-24T08:00:40.855523+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54999485.31.47.241888TCP
                  2025-01-24T08:02:54.395678+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.55001985.31.47.241888TCP
                  TimestampSource PortDest PortSource IPDest IP
                  Jan 24, 2025 07:59:33.080764055 CET497041888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:33.085647106 CET18884970485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:33.085764885 CET497041888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:33.301732063 CET497041888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:33.306694984 CET18884970485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:34.835433960 CET18884970485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:34.835607052 CET497041888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:38.364222050 CET497041888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:38.367260933 CET497061888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:38.369076967 CET18884970485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:38.372160912 CET18884970685.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:38.372260094 CET497061888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:38.392735958 CET497061888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:38.397525072 CET18884970685.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:40.112745047 CET18884970685.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:40.112884045 CET497061888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:42.365431070 CET497061888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:42.367336988 CET497321888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:42.372370958 CET18884970685.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:42.373855114 CET18884973285.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:42.373931885 CET497321888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:42.390866995 CET497321888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:42.399198055 CET18884973285.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:44.112174988 CET18884973285.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:44.112257004 CET497321888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:46.159715891 CET497321888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:46.164557934 CET18884973285.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:46.179230928 CET497541888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:46.184113979 CET18884975485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:46.184196949 CET497541888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:46.253940105 CET497541888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:46.258748055 CET18884975485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:47.927510023 CET18884975485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:47.927606106 CET497541888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:50.395347118 CET497541888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:50.396301031 CET497871888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:50.403944016 CET18884975485.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:50.406158924 CET18884978785.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:50.406245947 CET497871888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:50.422374010 CET497871888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:50.427966118 CET18884978785.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:52.164975882 CET18884978785.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:52.165098906 CET497871888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:55.145241976 CET497871888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:55.146107912 CET498191888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:55.150121927 CET18884978785.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:55.151133060 CET18884981985.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:55.151252985 CET498191888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:55.167535067 CET498191888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:55.172343969 CET18884981985.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:56.899190903 CET18884981985.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:56.902106047 CET498191888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:58.754621029 CET498191888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:58.755423069 CET498401888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:58.759423018 CET18884981985.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:58.760190010 CET18884984085.31.47.24192.168.2.5
                  Jan 24, 2025 07:59:58.760261059 CET498401888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:58.776029110 CET498401888192.168.2.585.31.47.24
                  Jan 24, 2025 07:59:58.780810118 CET18884984085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:00.513744116 CET18884984085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:00.514137030 CET498401888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:03.457797050 CET498401888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:03.459686995 CET498731888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:03.462583065 CET18884984085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:03.466514111 CET18884987385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:03.466633081 CET498731888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:03.484230995 CET498731888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:03.489062071 CET18884987385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:05.190397024 CET18884987385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:05.194155931 CET498731888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:08.207766056 CET498731888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:08.209326029 CET499061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:08.212639093 CET18884987385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:08.214905024 CET18884990685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:08.215142012 CET499061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:08.232006073 CET499061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:08.236881018 CET18884990685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:09.958435059 CET18884990685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:09.962171078 CET499061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:11.067369938 CET499061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:11.068728924 CET499231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:11.072221994 CET18884990685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:11.073705912 CET18884992385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:11.073780060 CET499231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:11.090889931 CET499231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:11.095779896 CET18884992385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:12.817668915 CET18884992385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:12.817879915 CET499231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:14.957726002 CET499231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:14.958652020 CET499491888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:14.962501049 CET18884992385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:14.963535070 CET18884994985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:14.963623047 CET499491888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:14.979387999 CET499491888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:14.984299898 CET18884994985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:16.691387892 CET18884994985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:16.691481113 CET499491888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:18.098460913 CET499491888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:18.100148916 CET499701888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:18.107178926 CET18884994985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:18.110073090 CET18884997085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:18.110241890 CET499701888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:18.127032042 CET499701888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:18.135796070 CET18884997085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:19.870161057 CET18884997085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:19.870588064 CET499701888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:20.004792929 CET499701888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:20.006036997 CET499811888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:20.009851933 CET18884997085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:20.011384964 CET18884998185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:20.011502981 CET499811888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:20.041549921 CET499811888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:20.046768904 CET18884998185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:21.739260912 CET18884998185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:21.742172956 CET499811888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:22.442503929 CET499811888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:22.443149090 CET499861888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:22.447544098 CET18884998185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:22.447937012 CET18884998685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:22.448050976 CET499861888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:22.468417883 CET499861888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:22.473193884 CET18884998685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:24.175398111 CET18884998685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:24.175507069 CET499861888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:25.442481041 CET499861888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:25.443955898 CET499881888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:25.447351933 CET18884998685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:25.448694944 CET18884998885.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:25.448764086 CET499881888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:25.465174913 CET499881888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:25.470295906 CET18884998885.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:27.199918032 CET18884998885.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:27.200007915 CET499881888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:27.676574945 CET499881888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:27.677491903 CET499891888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:27.681386948 CET18884998885.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:27.682303905 CET18884998985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:27.682405949 CET499891888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:27.699593067 CET499891888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:27.704415083 CET18884998985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:29.410557032 CET18884998985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:29.410933971 CET499891888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:29.551578999 CET499891888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:29.552525997 CET499901888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:29.556473970 CET18884998985.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:29.557326078 CET18884999085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:29.557395935 CET499901888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:29.577641964 CET499901888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:29.584450006 CET18884999085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:31.329344034 CET18884999085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:31.329406977 CET499901888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:31.676985979 CET499901888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:31.678407907 CET499911888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:31.682565928 CET18884999085.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:31.683370113 CET18884999185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:31.683494091 CET499911888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:31.705435991 CET499911888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:31.710222006 CET18884999185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:33.417493105 CET18884999185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:33.417591095 CET499911888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:33.614121914 CET499911888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:33.614991903 CET499921888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:33.618860006 CET18884999185.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:33.619815111 CET18884999285.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:33.619900942 CET499921888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:33.635438919 CET499921888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:33.640439987 CET18884999285.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:35.365542889 CET18884999285.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:35.365611076 CET499921888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:35.379662991 CET499921888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:35.380666018 CET499931888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:35.384511948 CET18884999285.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:35.385493040 CET18884999385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:35.385587931 CET499931888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:35.401074886 CET499931888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:35.405900002 CET18884999385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:37.130850077 CET18884999385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:37.130970001 CET499931888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:40.770844936 CET499931888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:40.773199081 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:40.775787115 CET18884999385.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:40.778202057 CET18884999485.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:40.778301001 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:40.819369078 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:40.824338913 CET18884999485.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:40.855523109 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:40.860302925 CET18884999485.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:41.052937984 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:41.057728052 CET18884999485.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:42.521696091 CET18884999485.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:42.521847963 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.817399979 CET499941888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.820990086 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.822314024 CET18884999485.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:46.825799942 CET18884999585.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:46.825882912 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.869254112 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.874150038 CET18884999585.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:46.927547932 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.932518005 CET18884999585.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:46.958108902 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:46.962989092 CET18884999585.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:48.577100992 CET18884999585.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:48.582173109 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:52.051486015 CET499951888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:52.056562901 CET18884999585.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:52.056600094 CET499961888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:52.061434984 CET18884999685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:52.061561108 CET499961888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:52.130152941 CET499961888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:52.134946108 CET18884999685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:53.804852962 CET18884999685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:53.810184002 CET499961888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:57.176489115 CET499961888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:57.179090023 CET499971888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:57.181387901 CET18884999685.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:57.184438944 CET18884999785.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:57.184551954 CET499971888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:57.230691910 CET499971888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:57.236572981 CET18884999785.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:57.254914999 CET499971888192.168.2.585.31.47.24
                  Jan 24, 2025 08:00:57.259768009 CET18884999785.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:58.934972048 CET18884999785.31.47.24192.168.2.5
                  Jan 24, 2025 08:00:58.935138941 CET499971888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:02.303904057 CET499971888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:02.304502010 CET499981888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:02.308877945 CET18884999785.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:02.309324980 CET18884999885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:02.309492111 CET499981888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:02.502178907 CET499981888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:02.507246017 CET18884999885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:04.036087990 CET18884999885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:04.037266016 CET499981888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:07.661118984 CET499981888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:07.664022923 CET499991888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:07.666795969 CET18884999885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:07.669025898 CET18884999985.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:07.669246912 CET499991888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:07.749317884 CET499991888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:07.754339933 CET18884999985.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:09.408325911 CET18884999985.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:09.408415079 CET499991888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:13.473623991 CET499991888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:13.476830959 CET500001888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:13.478490114 CET18884999985.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:13.481631994 CET18885000085.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:13.481703997 CET500001888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:13.521992922 CET500001888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:13.526968956 CET18885000085.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:15.208671093 CET18885000085.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:15.208760023 CET500001888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.598753929 CET500001888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.600627899 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.603688002 CET18885000085.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.605550051 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.605667114 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.679550886 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.684493065 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.692321062 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.697155952 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.708511114 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.714433908 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.732762098 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.737534046 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.864660978 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.870877028 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.880228996 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.886646986 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.895581007 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.900438070 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.973776102 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.981200933 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:18.989423990 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:18.997303009 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:19.004926920 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:19.009762049 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:20.350121021 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:20.350249052 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.054197073 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.054552078 CET500011888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.059201002 CET18885000285.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:24.059377909 CET18885000185.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:24.065979958 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.248713970 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.253690958 CET18885000285.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:24.258238077 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.263405085 CET18885000285.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:24.630203009 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:24.635210991 CET18885000285.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:25.805718899 CET18885000285.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:25.808414936 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.363984108 CET500021888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.366703033 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.368748903 CET18885000285.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:29.371689081 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:29.371772051 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.418782949 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.423952103 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:29.442472935 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.447415113 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:29.458090067 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.463006020 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:29.598661900 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.604231119 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:29.614255905 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:29.619124889 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:31.116058111 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:31.116137981 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.678184986 CET500031888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.683008909 CET18885000385.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:34.689409971 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.694205999 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:34.694267988 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.839425087 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.844666004 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:34.865554094 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.870662928 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:34.927417994 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.932460070 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:34.989331961 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:34.997298002 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:36.449358940 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:36.450823069 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:40.067337990 CET500041888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:40.070439100 CET500051888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:40.072248936 CET18885000485.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:40.075371981 CET18885000585.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:40.078365088 CET500051888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:40.186292887 CET500051888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:40.191207886 CET18885000585.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:41.801986933 CET18885000585.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:41.803020000 CET500051888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:45.436470032 CET500051888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:45.438956022 CET500061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:45.441301107 CET18885000585.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:45.443825006 CET18885000685.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:45.443891048 CET500061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:45.540688038 CET500061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:45.545535088 CET18885000685.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:47.184964895 CET18885000685.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:47.185035944 CET500061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:50.567234039 CET500061888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:50.569725990 CET500071888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:50.572479010 CET18885000685.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:50.575546026 CET18885000785.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:50.575706005 CET500071888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:50.650274992 CET500071888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:50.658934116 CET18885000785.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:52.339042902 CET18885000785.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:52.339123964 CET500071888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:55.692130089 CET500071888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:55.694550037 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:55.697005987 CET18885000785.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:55.699572086 CET18885000885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:55.699640036 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:55.738259077 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:55.743146896 CET18885000885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:55.926703930 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:55.931549072 CET18885000885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:56.583101034 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:01:56.590251923 CET18885000885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:57.464514971 CET18885000885.31.47.24192.168.2.5
                  Jan 24, 2025 08:01:57.466324091 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:00.834367990 CET500081888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:00.834439039 CET500091888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:00.839524031 CET18885000885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:00.839541912 CET18885000985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:00.839714050 CET500091888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:00.927675009 CET500091888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:00.933558941 CET18885000985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:02.590290070 CET18885000985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:02.590404987 CET500091888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.073400974 CET500091888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.075222969 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.078412056 CET18885000985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:06.080076933 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:06.080147982 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.123087883 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.127909899 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:06.161128998 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.165936947 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:06.208303928 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.213226080 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:06.411331892 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:06.416199923 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:07.827383995 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:07.827445984 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:11.241708994 CET500111888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:11.241714001 CET500101888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:11.246900082 CET18885001085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:11.246917009 CET18885001185.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:11.247322083 CET500111888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:11.463495970 CET500111888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:11.471057892 CET18885001185.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:12.991885900 CET18885001185.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:12.992430925 CET500111888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:16.598428965 CET500111888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:16.600374937 CET500121888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:16.603560925 CET18885001185.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:16.605675936 CET18885001285.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:16.605735064 CET500121888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:16.649640083 CET500121888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:16.654525995 CET18885001285.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:16.661117077 CET500121888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:16.665972948 CET18885001285.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:18.336946011 CET18885001285.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:18.337066889 CET500121888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.662290096 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.662489891 CET500121888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.667109013 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:21.667355061 CET18885001285.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:21.667515039 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.805104971 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.809969902 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:21.817605019 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.822384119 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:21.833065033 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.837795973 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:21.848750114 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.853552103 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:21.864264011 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:21.869394064 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:23.412884951 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:23.413415909 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:26.898271084 CET500131888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:26.902971983 CET500141888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:26.903095007 CET18885001385.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:26.909338951 CET18885001485.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:26.910492897 CET500141888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:27.059529066 CET500141888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:27.066328049 CET18885001485.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:27.118413925 CET500141888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:27.123297930 CET18885001485.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:28.655210018 CET18885001485.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:28.655289888 CET500141888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.176595926 CET500141888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.178926945 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.181400061 CET18885001485.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.183753967 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.183830976 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.219011068 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.224354982 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.239197016 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.244287968 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.473676920 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.478668928 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.504997015 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.510211945 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.536341906 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.541624069 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:32.629930019 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:32.634793997 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:33.950090885 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:33.950151920 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.786102057 CET500151888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.787471056 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.790914059 CET18885001585.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:37.792359114 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:37.792512894 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.837090969 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.842041969 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:37.864990950 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.869839907 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:37.880132914 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.885032892 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:37.895894051 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:37.900690079 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:39.541074991 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:39.542417049 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:42.989377022 CET500161888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:42.994199991 CET18885001685.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:42.994290113 CET500171888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:42.999119997 CET18885001785.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:43.005285978 CET500171888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:43.232757092 CET500171888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:43.238215923 CET18885001785.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:44.763284922 CET18885001785.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:44.763590097 CET500171888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.333584070 CET500171888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.338320971 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.338830948 CET18885001785.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:48.343342066 CET18885001885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:48.343420029 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.413064957 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.418026924 CET18885001885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:48.677150011 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.685273886 CET18885001885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:48.692706108 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:48.697822094 CET18885001885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:50.075949907 CET18885001885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:50.076153994 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.160933971 CET500181888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.163902998 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.165796995 CET18885001885.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:54.168811083 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:54.168888092 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.206607103 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.211487055 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:54.239583015 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.244443893 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:54.254956007 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.259876966 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:54.333201885 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.338119030 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:54.395678043 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:54.400640965 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:55.897367001 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:55.897445917 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:59.397094011 CET500191888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:59.400255919 CET500201888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:59.402192116 CET18885001985.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:59.406121016 CET18885002085.31.47.24192.168.2.5
                  Jan 24, 2025 08:02:59.406306028 CET500201888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:59.524472952 CET500201888192.168.2.585.31.47.24
                  Jan 24, 2025 08:02:59.530847073 CET18885002085.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:01.185626984 CET18885002085.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:01.190422058 CET500201888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:04.864072084 CET500201888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:04.867335081 CET500211888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:04.869615078 CET18885002085.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:04.872800112 CET18885002185.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:04.874414921 CET500211888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:05.003298998 CET500211888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:05.008207083 CET18885002185.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:06.601551056 CET18885002185.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:06.604424000 CET500211888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:10.067353010 CET500211888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:10.069947958 CET500221888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:10.072949886 CET18885002185.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:10.075074911 CET18885002285.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:10.075166941 CET500221888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:10.196494102 CET500221888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:10.201461077 CET18885002285.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:11.814462900 CET18885002285.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:11.816906929 CET500221888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.536076069 CET500221888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.539799929 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.541034937 CET18885002285.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.544651985 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.544719934 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.574156046 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.579049110 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.582921982 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.587737083 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.661122084 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.666054964 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.692364931 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.697293043 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.708081961 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.712927103 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.723459959 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.728943110 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.754920006 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.759758949 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:15.770397902 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:15.775249958 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:17.299496889 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:17.299582958 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.864202023 CET500231888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.866354942 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.871176004 CET18885002385.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:20.873430014 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:20.873567104 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.937114954 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.941982031 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:20.958034039 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.963373899 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:20.989289999 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:20.994167089 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.020538092 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.025474072 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.036282063 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.041431904 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.051882029 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.056782007 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.067462921 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.072371960 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.114901066 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.119812012 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.129955053 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.134839058 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.161243916 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.166357994 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:21.411257982 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:21.418195963 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:22.622092009 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:22.622548103 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:26.194401979 CET500241888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:26.194402933 CET500251888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:26.199456930 CET18885002485.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:26.199487925 CET18885002585.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:26.200021029 CET500251888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:26.339520931 CET500251888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:26.344707012 CET18885002585.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:26.802460909 CET500251888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:26.807657957 CET18885002585.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:27.955244064 CET18885002585.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:27.960441113 CET500251888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.364309072 CET500251888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.368006945 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.369271040 CET18885002585.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.372889996 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.372951984 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.414279938 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.419181108 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.426914930 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.431821108 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.489444971 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.494345903 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.536330938 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.541340113 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.598623991 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.603554964 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:31.629966021 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:31.635056973 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:33.160233974 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:33.160300970 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:40.692961931 CET500261888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:40.694118023 CET500271888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:40.697973967 CET18885002685.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:40.699418068 CET18885002785.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:40.699567080 CET500271888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:40.732486963 CET500271888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:40.738320112 CET18885002785.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:42.436808109 CET18885002785.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:42.436902046 CET500271888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:44.114293098 CET500271888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:44.118428946 CET500281888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:44.119431973 CET18885002785.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:44.124943972 CET18885002885.31.47.24192.168.2.5
                  Jan 24, 2025 08:03:44.130577087 CET500281888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:44.137792110 CET500281888192.168.2.585.31.47.24
                  Jan 24, 2025 08:03:44.142663002 CET18885002885.31.47.24192.168.2.5
                  • File
                  • Registry
                  • Network

                  Click to dive into process behavior distribution

                  Target ID:0
                  Start time:01:59:28
                  Start date:24/01/2025
                  Path:C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f04531790.dat-decoded.exe"
                  Imagebase:0x220000
                  File size:36'864 bytes
                  MD5 hash:648C182E090BBDA47F228FB15EAA7DAA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2124445370.0000000000222000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:false
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Execution Graph

                  Execution Coverage

                  Dynamic/Packed Code Coverage

                  Signature Coverage

                  Execution Coverage:19.1%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  Show Legend
                  Hide Nodes/Edges
                  execution_graph 3408 7ff848e914da 3409 7ff848e91c20 SetWindowsHookExW 3408->3409 3411 7ff848e91cd1 3409->3411

                  Executed Functions

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 134 7ff848e96726-7ff848e96733 135 7ff848e96735-7ff848e9673d 134->135 136 7ff848e9673e-7ff848e96807 134->136 135->136 140 7ff848e96873 136->140 141 7ff848e96809-7ff848e96812 136->141 143 7ff848e96875-7ff848e9689a 140->143 141->140 142 7ff848e96814-7ff848e96820 141->142 144 7ff848e96822-7ff848e96834 142->144 145 7ff848e96859-7ff848e96871 142->145 149 7ff848e96906 143->149 150 7ff848e9689c-7ff848e968a5 143->150 147 7ff848e96836 144->147 148 7ff848e96838-7ff848e9684b 144->148 145->143 147->148 148->148 151 7ff848e9684d-7ff848e96855 148->151 153 7ff848e96908-7ff848e969b0 149->153 150->149 152 7ff848e968a7-7ff848e968b3 150->152 151->145 154 7ff848e968b5-7ff848e968c7 152->154 155 7ff848e968ec-7ff848e96904 152->155 164 7ff848e969b2-7ff848e969bc 153->164 165 7ff848e96a1e 153->165 156 7ff848e968c9 154->156 157 7ff848e968cb-7ff848e968de 154->157 155->153 156->157 157->157 159 7ff848e968e0-7ff848e968e8 157->159 159->155 164->165 166 7ff848e969be-7ff848e969cb 164->166 167 7ff848e96a20-7ff848e96a49 165->167 168 7ff848e96a04-7ff848e96a1c 166->168 169 7ff848e969cd-7ff848e969df 166->169 174 7ff848e96ab3 167->174 175 7ff848e96a4b-7ff848e96a56 167->175 168->167 170 7ff848e969e1 169->170 171 7ff848e969e3-7ff848e969f6 169->171 170->171 171->171 173 7ff848e969f8-7ff848e96a00 171->173 173->168 176 7ff848e96ab5-7ff848e96b46 174->176 175->174 177 7ff848e96a58-7ff848e96a66 175->177 185 7ff848e96b4c-7ff848e96b5b 176->185 178 7ff848e96a68-7ff848e96a7a 177->178 179 7ff848e96a9f-7ff848e96ab1 177->179 180 7ff848e96a7c 178->180 181 7ff848e96a7e-7ff848e96a91 178->181 179->176 180->181 181->181 183 7ff848e96a93-7ff848e96a9b 181->183 183->179 186 7ff848e96b63-7ff848e96bc8 call 7ff848e96be4 185->186 187 7ff848e96b5d 185->187 194 7ff848e96bca 186->194 195 7ff848e96bcf-7ff848e96be3 186->195 187->186 194->195
                  Memory Dump Source
                  • Source File: 00000000.00000002.4586401167.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e90000_17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f0.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ab5c873589f2098c14985aab67617e370dd06cd36f75938a217b828a1b6e358
                  • Instruction ID: 288a2748576d0321446ce144e8899ce1364e19ee9c928ce4e0ffc3d406d45a67
                  • Opcode Fuzzy Hash: 5ab5c873589f2098c14985aab67617e370dd06cd36f75938a217b828a1b6e358
                  • Instruction Fuzzy Hash: 06F1A63090CA8D8FEBA8EF28C8557E937E1FF54354F04826EE84DC7295DB7499458B82

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 196 7ff848e974d2-7ff848e974df 197 7ff848e974e1-7ff848e974e9 196->197 198 7ff848e974ea-7ff848e975b7 196->198 197->198 202 7ff848e97623 198->202 203 7ff848e975b9-7ff848e975c2 198->203 205 7ff848e97625-7ff848e9764a 202->205 203->202 204 7ff848e975c4-7ff848e975d0 203->204 206 7ff848e975d2-7ff848e975e4 204->206 207 7ff848e97609-7ff848e97621 204->207 211 7ff848e976b6 205->211 212 7ff848e9764c-7ff848e97655 205->212 209 7ff848e975e6 206->209 210 7ff848e975e8-7ff848e975fb 206->210 207->205 209->210 210->210 213 7ff848e975fd-7ff848e97605 210->213 215 7ff848e976b8-7ff848e976dd 211->215 212->211 214 7ff848e97657-7ff848e97663 212->214 213->207 216 7ff848e97665-7ff848e97677 214->216 217 7ff848e9769c-7ff848e976b4 214->217 222 7ff848e9774b 215->222 223 7ff848e976df-7ff848e976e9 215->223 218 7ff848e97679 216->218 219 7ff848e9767b-7ff848e9768e 216->219 217->215 218->219 219->219 221 7ff848e97690-7ff848e97698 219->221 221->217 224 7ff848e9774d-7ff848e9777b 222->224 223->222 225 7ff848e976eb-7ff848e976f8 223->225 232 7ff848e977eb 224->232 233 7ff848e9777d-7ff848e97788 224->233 226 7ff848e97731-7ff848e97749 225->226 227 7ff848e976fa-7ff848e9770c 225->227 226->224 229 7ff848e97710-7ff848e97723 227->229 230 7ff848e9770e 227->230 229->229 231 7ff848e97725-7ff848e9772d 229->231 230->229 231->226 235 7ff848e977ed-7ff848e978c5 232->235 233->232 234 7ff848e9778a-7ff848e97798 233->234 236 7ff848e977d1-7ff848e977e9 234->236 237 7ff848e9779a-7ff848e977ac 234->237 245 7ff848e978cb-7ff848e978da 235->245 236->235 239 7ff848e977b0-7ff848e977c3 237->239 240 7ff848e977ae 237->240 239->239 242 7ff848e977c5-7ff848e977cd 239->242 240->239 242->236 246 7ff848e978e2-7ff848e97944 call 7ff848e97960 245->246 247 7ff848e978dc 245->247 254 7ff848e97946 246->254 255 7ff848e9794b-7ff848e9795f 246->255 247->246 254->255
                  Memory Dump Source
                  • Source File: 00000000.00000002.4586401167.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e90000_17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f0.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8995cfeb12c11719230380ec622d656fcbeca4e2ccf8624aa019f8b630868594
                  • Instruction ID: fc6b56441153255d60c73af1b8a501085433dfe9eccaa4c7da6e2e69ba6a4378
                  • Opcode Fuzzy Hash: 8995cfeb12c11719230380ec622d656fcbeca4e2ccf8624aa019f8b630868594
                  • Instruction Fuzzy Hash: C3E1A23090CA8E8FEBA8EF28C8557E97BE1FF54351F14426ED84DC7291DB74A8458B81

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4586401167.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e90000_17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f0.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: b65626553ada1c6e5bf47918d7984324617a5512beaf45d5092857e5ff1f65de
                  • Instruction ID: 5f3ee908805f1e4edac94d4788b159e3ca779a991d26dfbb2fffdbcc1160c358
                  • Opcode Fuzzy Hash: b65626553ada1c6e5bf47918d7984324617a5512beaf45d5092857e5ff1f65de
                  • Instruction Fuzzy Hash: 6531043091CA4D5FDB1CEB6898066F9BBE1FB59321F04423ED009D3292CB75A8128B85

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4586401167.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e90000_17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f0.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: ee87fdd54b69f63b8afa9218ce6e5042bf0d11648dd390e3b9f1e06c9167794b
                  • Instruction ID: 62ef0a6d664d2218852c2ebbfdf64e4b44fb4897c0471c0890dd7f9cce17a92f
                  • Opcode Fuzzy Hash: ee87fdd54b69f63b8afa9218ce6e5042bf0d11648dd390e3b9f1e06c9167794b
                  • Instruction Fuzzy Hash: 1431AF30A1CA1D9FDB58EB5898466B9B7E1FB99311F00423EE00ED3252DB75A8128B85

                  Non-executed Functions

                  Memory Dump Source
                  • Source File: 00000000.00000002.4586401167.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e90000_17377014056a69536ab12b0f859a66de89b12706e344abb5fe3544307ca437beeb04f0.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1090d060d9d701a4f86ef41e23acab21e83a2bf6b41eadbba2cbbd8d83375232
                  • Instruction ID: 850aa325e4d114db7bdf29c3d465b63dcd0acbe329951c3a8d0406afa31618bb
                  • Opcode Fuzzy Hash: 1090d060d9d701a4f86ef41e23acab21e83a2bf6b41eadbba2cbbd8d83375232
                  • Instruction Fuzzy Hash: 08D1C33091CA8D8FEBA8EF28C8557E977E1FF55350F04426EE84DC7291CB74A9418B82