Edit tour

Windows Analysis Report
uPt3XcHAIA.exe

Overview

General Information

Sample name:uPt3XcHAIA.exe
renamed because original name is a hash value
Original sample name:50bfc65f3fe6da315552cec46f02127ed91ddae075d6167f3c76606686cd1708.exe
Analysis ID:1600635
MD5:652eb7df5ebb74a48f6d7ad357600fc0
SHA1:79ea7d68bcbd37946f326edd417f5b91833818a7
SHA256:50bfc65f3fe6da315552cec46f02127ed91ddae075d6167f3c76606686cd1708
Tags:176-113-115-225bookingexeuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • uPt3XcHAIA.exe (PID: 800 cmdline: "C:\Users\user\Desktop\uPt3XcHAIA.exe" MD5: 652EB7DF5EBB74A48F6D7AD357600FC0)
  • cleanup
{
  "C2 url": [
    "176.113.115.225"
  ],
  "Port": 4444,
  "Aes key": "P0WER",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
uPt3XcHAIA.exeJoeSecurity_XWormYara detected XWormJoe Security
    uPt3XcHAIA.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x9a92:$str01: $VB$Local_Port
    • 0x9afe:$str02: $VB$Local_Host
    • 0x83ee:$str03: get_Jpeg
    • 0x8990:$str04: get_ServicePack
    • 0xa7be:$str05: Select * from AntivirusProduct
    • 0xaefc:$str06: PCRestart
    • 0xaf10:$str07: shutdown.exe /f /r /t 0
    • 0xafc2:$str08: StopReport
    • 0xaf98:$str09: StopDDos
    • 0xb08e:$str10: sendPlugin
    • 0xb10e:$str11: OfflineKeylogger Not Enabled
    • 0xb266:$str12: -ExecutionPolicy Bypass -File "
    • 0xb88f:$str13: Content-length: 5235
    uPt3XcHAIA.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xbb38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xbbd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xbcea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xb7aa:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb938:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb9d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xbaea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb5aa:$cnc4: POST / HTTP/1.1
      00000000.00000002.4760685747.0000000002B61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: uPt3XcHAIA.exe PID: 800JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.uPt3XcHAIA.exe.920000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.uPt3XcHAIA.exe.920000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x9a92:$str01: $VB$Local_Port
            • 0x9afe:$str02: $VB$Local_Host
            • 0x83ee:$str03: get_Jpeg
            • 0x8990:$str04: get_ServicePack
            • 0xa7be:$str05: Select * from AntivirusProduct
            • 0xaefc:$str06: PCRestart
            • 0xaf10:$str07: shutdown.exe /f /r /t 0
            • 0xafc2:$str08: StopReport
            • 0xaf98:$str09: StopDDos
            • 0xb08e:$str10: sendPlugin
            • 0xb10e:$str11: OfflineKeylogger Not Enabled
            • 0xb266:$str12: -ExecutionPolicy Bypass -File "
            • 0xb88f:$str13: Content-length: 5235
            0.0.uPt3XcHAIA.exe.920000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xbb38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xbbd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xbcea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xb7aa:$cnc4: POST / HTTP/1.1

            System Summary

            barindex
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 176.113.115.225, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\Desktop\uPt3XcHAIA.exe, Initiated: true, ProcessId: 800, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49723
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:39.849409+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:47:52.131264+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:47:57.039305+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:04.402459+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:16.686320+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:27.151743+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:27.163187+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:28.964727+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:34.042496+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:35.714190+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:35.835733+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:36.197200+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:36.318896+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:37.299149+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:43.199146+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:55.485317+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:56.948742+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:48:58.090441+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:01.855424+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:01.977426+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:02.097504+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:05.043384+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:05.731384+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:16.467237+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:17.408738+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:20.199269+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:22.588865+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:23.667111+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:26.955923+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:27.839320+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:30.043362+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:30.590204+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:37.964953+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:38.104743+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:38.606216+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:40.464737+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:41.669930+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:48.391758+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:48.513115+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:55.652066+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:56.960052+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:49:58.714945+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:01.326127+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:03.948546+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:04.069877+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:09.543453+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:14.389004+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:14.510962+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:14.793515+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:15.039625+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:19.729732+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:20.123457+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:20.288518+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:25.776654+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:26.949859+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:33.011407+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:41.552795+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:50.741885+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:55.091448+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:50:56.956385+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:07.637616+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:07.880853+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:14.394012+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:26.659458+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:26.970512+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:27.277260+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:27.870800+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:28.966439+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:41.789173+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:53.390592+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            2025-01-27T19:51:56.977164+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:39.992320+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:47:52.135913+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:04.404846+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:16.688351+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:29.004969+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:34.050656+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:35.716105+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:35.838458+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:35.958312+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:35.963718+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:36.080554+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:36.198995+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:36.320892+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:36.441272+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:36.446938+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:37.308339+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:43.200985+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:55.491176+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:48:58.092835+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:01.857547+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:01.979620+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:02.099888+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:02.246038+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:02.251412+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:05.046752+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:05.733835+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:16.469716+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:17.411446+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:20.201262+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:22.591022+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:23.669746+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:27.842622+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:30.046263+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:30.592880+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:37.970446+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:38.106735+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:38.610620+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:40.466864+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:41.672149+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:48.394206+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:48.515518+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:55.654784+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:49:58.716661+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:01.330588+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:03.950418+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:04.072294+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:09.546670+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:14.396493+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:14.512766+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:14.799127+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:14.921011+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:15.044517+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:19.732916+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:20.127013+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:20.291043+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:25.779392+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:33.013795+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:41.558882+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:50.782118+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:50:55.094978+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:07.640451+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:14.397229+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:26.662682+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:27.279211+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:28.586024+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:28.967354+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:41.790066+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            2025-01-27T19:51:53.391791+010028529231Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:57.039305+010028588011Malware Command and Control Activity Detected176.113.115.2254444192.168.2.649723TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:48:37.080337+010028587991Malware Command and Control Activity Detected192.168.2.649723176.113.115.2254444TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: uPt3XcHAIA.exeAvira: detected
            Source: uPt3XcHAIA.exeMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.225"], "Port": 4444, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Source: uPt3XcHAIA.exeVirustotal: Detection: 69%Perma Link
            Source: uPt3XcHAIA.exeReversingLabs: Detection: 78%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: uPt3XcHAIA.exeJoe Sandbox ML: detected
            Source: uPt3XcHAIA.exeString decryptor: 176.113.115.225
            Source: uPt3XcHAIA.exeString decryptor: 4444
            Source: uPt3XcHAIA.exeString decryptor: P0WER
            Source: uPt3XcHAIA.exeString decryptor: <Xwormmm>
            Source: uPt3XcHAIA.exeString decryptor: XWorm
            Source: uPt3XcHAIA.exeString decryptor: USB.exe
            Source: uPt3XcHAIA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: uPt3XcHAIA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49723 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.225:4444 -> 192.168.2.6:49723
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49723 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.225:4444 -> 192.168.2.6:49723
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49723 -> 176.113.115.225:4444
            Source: Malware configuration extractorURLs: 176.113.115.225
            Source: global trafficTCP traffic: 192.168.2.6:49723 -> 176.113.115.225:4444
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Source: uPt3XcHAIA.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: uPt3XcHAIA.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.uPt3XcHAIA.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.uPt3XcHAIA.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeCode function: 0_2_00007FFD342770B20_2_00007FFD342770B2
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeCode function: 0_2_00007FFD3427A2190_2_00007FFD3427A219
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeCode function: 0_2_00007FFD342763060_2_00007FFD34276306
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeCode function: 0_2_00007FFD3427A2190_2_00007FFD3427A219
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeCode function: 0_2_00007FFD3427B2480_2_00007FFD3427B248
            Source: uPt3XcHAIA.exe, 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs uPt3XcHAIA.exe
            Source: uPt3XcHAIA.exeBinary or memory string: OriginalFilenameXClient.exe4 vs uPt3XcHAIA.exe
            Source: uPt3XcHAIA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: uPt3XcHAIA.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: uPt3XcHAIA.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.uPt3XcHAIA.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.uPt3XcHAIA.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: uPt3XcHAIA.exe, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: uPt3XcHAIA.exe, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: uPt3XcHAIA.exe, ocdWY4uta2L6F.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeMutant created: NULL
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeMutant created: \Sessions\1\BaseNamedObjects\pWbxsRP5Z5tLW4V1
            Source: uPt3XcHAIA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: uPt3XcHAIA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: uPt3XcHAIA.exeVirustotal: Detection: 69%
            Source: uPt3XcHAIA.exeReversingLabs: Detection: 78%
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: uPt3XcHAIA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: uPt3XcHAIA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: uPt3XcHAIA.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH._7ou4q3URxUtrcBhAksV8MILst8vvfhGZzz84cTowdPeJNJqpazaC0zcplhKSCF9TGZGal9qwtbeNZDXuM4ysc7,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.B5vObioagoHeuBETToqXO7c4SBvzgegJ2rVxzrn97Z01VyClBh4RfVnBpn3uLZmwBfvDkA7hA0zjL4bYk2F9Lw,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.MGHflsToeaIGYe2QlJGLifoJfKHFMzr3e7F5gXl32IYYefKteaV3QAP8fQuyq1nSYPUyb4dRKPWQTfFJrBKDJn,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.JavtZpWbEUzyaboWUx5EzFRMnopkNEbRbaMCyBm6SCxx4PxjVvD0SD2eCoxY6CvuIPhM1bDKYzUwSKBPVNSu3Q,_75nEg0zZR0dHe.a5l48OPDiZ3ML()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: uPt3XcHAIA.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{N6aiy2oVGGWRy[2],_75nEg0zZR0dHe.UcVmBdslgVk5f(Convert.FromBase64String(N6aiy2oVGGWRy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: uPt3XcHAIA.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx System.AppDomain.Load(byte[])
            Source: uPt3XcHAIA.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf System.AppDomain.Load(byte[])
            Source: uPt3XcHAIA.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf
            Source: uPt3XcHAIA.exe, b4uun3ISTXKnf.csHigh entropy of concatenated method names: 'YCjMUCUaS1W51', 'nBYZp8mEKNdCM', 'A0fHqAYUq6yHF', '_1mVdS59RD9WRXjpk4dgLoY55DRM5wYkWRMGMMurlj3LIOgyP', 'fHMQFoqEOaRpZM5LGroxVJm37fqi9jUrbA6e0tMx0g2V8mYW', 'LoB5UwuYY5RTRpo7KYVsQo0M18w3Nqjvx6hFEJtWrmEhpNS8', '_8xzyi24VkTi5m5Gsy7XUUolTzE6ThsmXs6bUc1FmIJiIWf1C', '_0fb1PXYa6kb1Rh7XSfKSHk6h0u9Dpwhkn0aPYGvFcLJ9j5gx', 'muNz9fBp8MEGjEaAaR4gHkqhVUn1c7430siPvrb9kzSiFIcm', 'br3It0Vta53HcAKawwe4bhthaz6XVj4dQqIhe3SzkIF6mbdR'
            Source: uPt3XcHAIA.exe, Okx2cEcCTYefVQm6EymR3DAHXaTSljZM45uWUuKfmTQXlObkYx2hI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qhoRWWDGbIaBYf1xlc2ObtVWJaKjgV1', 'DymWxUA0Gzkq60kzVxmAsWvR6nPAUbA', 'VRGwbt4QosOEYZDJMW6oiZAv0pO17cG', 'yUA6AUHSQfBMMR68GOUobZVEBz10NVn'
            Source: uPt3XcHAIA.exe, 6jI32o4ws06OX.csHigh entropy of concatenated method names: 'RaiFrYHEhVkGS', 'hx6hnTTFdwvcvMmU5tfd16J2MYSLJ0eJ6OI49uozqUzfAV2hp9pL3WXmxeqoyAR', 'cNGApf86khPqX7UFOcOQ1vxse4iSyACnzfVfGwGsr2VBKXVV9zlAAxqefX2ESAr', 'A59evJghrlNxzbqc6Ps2fGGXCHRposxsPG3o30QgIEcDchw2DXYQuOTjARh5Abl', '_6zBH6zRaU2H1LVlnglmQDC83mL96YyuygQvcn37k0CYYQ5ofHgMOFoWn6791yKg'
            Source: uPt3XcHAIA.exe, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csHigh entropy of concatenated method names: 'PCMd3nft0XRAEjjfTvQ9XSikDVDfw1SFeuJjcMNu23L9ut7hUam2JtbvJNG9Q1LtII1NXrvJ1pXXQSrlwu1LGA', 'Jd7dipyiHVKFnnn5TtLlCT4QqQcZ1LcpveZHXmyGRURwhmIt91DiUsUw2JHJYqACligP1uXjRP19gLBuHeVNXP', 'lqsu07OmfboE51hkKcFQZfOeohQgdsXJpwH19tPJIxbnloG0EQElOpFNlXw1YWFWHdBtCAUCGx7RzUPrp0vj6O', 'Pl2rLE4NFtvwpuxh9sQICrTA02puQ3l0wmGobDtKEtDQYp9NtFnsr0yJ4EXv69vEnPqN47QpRHNc0MkAuxuG3X', 'KdVFbPcZtmc5qWDmWAxenzBQZsFj2y1IkVJrkWTaZqy4RN5x7X4UJCZPqGfR1nIGQKiSLvDck0jrhrNMj4Zhvt', 'sWK8vuJRm8M7VFNfVet38IXxMDOBVpNoEvoaJOy2fXnYDixgCoJOZUvyQExFEXEIJedbrENkdjo3JUdsqHJdHg', '_78E00qSUqiwXMsuRg9AR5r0Et06xyxHKa0yYgelPQWb9XWLYWB4QHANvr24N0UIz7XMOPBk4xHjZRn2irwSEm6', 'Kn2ickZPGCnkIfx2SIh0FyIsImdy0JdL95XdZq2zkx2ARnyABIA01bCELcv0k43JTab4APMbIIb4YBAdNd6fZG', 'a0uJIUhDNBBBOsnT1speyYAmyNBYhRuHZ6DqkqZKWSSvHYpDrB0WRRXcgd7rVvs4H7iax7ntPSkFgBGt4PpWRr', '_72TWMwDUPUengDslxZ7ashZ9blkvIyPqCf8HrPSykCuRkJtI24TRm4hbjqsd3YPrTmShlG573OHlL5nTRSqa1t'
            Source: uPt3XcHAIA.exe, 75nEg0zZR0dHe.csHigh entropy of concatenated method names: '_5deq5ZMjXSyOV', '_1ylcOTS7IequM', 'Jec3M7x8OHYHU', 'XFGNrMmv4br0v', '_1UPCebSNb17oS', 'ZWHoZcMAqG9NM', 'b2F5a7qBXz5Vo', 'yxkqiLSPeeleq', 'xbsVGOJehhaH3', '_2QsbjhSfy2vJi'
            Source: uPt3XcHAIA.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.csHigh entropy of concatenated method names: '_1nUdV8zCgrBa3pV3QCLM48pI7PGiNwJLvkgLDquedBS0T55d2IBdIKrGglAUEGkd3y4QntF', 'ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx', 'Fqv6NSSymAkmG1Tv6yUOrZ1GG2fbAU7RdkKa1NI9XlVZ6MhApGbUjYA1ZrP9nbK4WaYQWO6', 'NN4ROQ4RugYSKZgXWTebgYaOkvNaAjJLJwZ4WGeS1tFDMHcXwQWLIXcAcxQT9SrJVlS5idE', 'A8u0DQJPq3SvcF1uAdysGKN9Evjx3OQ7rrDcxaJUNmcNtWxHKL5npGDS8Jvg48bYqJTvHCs', 'hm6KXVdf3MWpMoAIsalbhUDSQJwI8Ei27WKvbTt5UVmAEOSCzCom2ybLOPDTY6NKIgssTG5', 'ikPkXINAQMgiz2gNKsResrVJD5I3SwrfAxRQfhldfRVkkXrgfnoxbjRw0b4jEd2hAw5nOyj', 'UtsfbvVmPY2OOjmvLR2JLhy36YRk6vk96eYY8K6gzyUGtVUiyqWf8ry33MA7oYVqMX2thcx', 'W3YjdpEgWQybF', 'Fh9HwxHIZFa4I'
            Source: uPt3XcHAIA.exe, ocdWY4uta2L6F.csHigh entropy of concatenated method names: '_6ZbrahaikQCcd', 'zs2tTgBzWM2mD3yMJQAVREjQu4hieQ4zJOhnrEN0B7Iai5Bj5S1qmooPZamjemY', 'qldTlCiD7qExb6p4FxM2p1D1P4wVYjKrUvg5ITB3mJe01cpffWrLtj0juPPuHby', 'Ee2Ud3UssTJpmjLUQoJ1fHkbl0dggJMamVcMoQhRFOMYQ9wxb7t3njBLekP1Swq', 'pDUvkqaLWIjKFi4nijh2Jb8W1I4Otb9JmwPdWMYUbQEZzafaxgSof1cPOmsujXC'
            Source: uPt3XcHAIA.exe, zdtkXphm1qUGTOgxhhi6mhj0ZkS1NHj4NF8FjvfZJNSQEp8xxlOX8RlyrbWrOff2QnlKL3srkSeTIIF5qlGNY2.csHigh entropy of concatenated method names: 'yi6PZbY6haSeIP2qzmu8X8djxweLUaPHTLfzJhTrpBjyISPgxoNbD967E6KaCuklnmMJqhQEKm5AGpsuhm5pSN', 'HVGwB1qYNdzDwmFsbSmVov1zNXLwLT8QXhkHsqMK44ZYNBPnRY6H1fTBuMr2Fx1Kxph0CctRvpO1SwTuptCjNO', 'wSQ1TOl0Qw1PGzDkvkXh7wUppmfQM5treEokthCDrGK39TWWXnydBfcdbFG6XjbJC6y3aqqxtbCO6ApGxw2tL6', 'N13xUgTiqRGgZcZSLgqtUAuBlIiSpr5', 'f1eW6VvNCHDPH0jcJOhj3UvX2FcBwMa', 'y59PbByil3pLYv7mufMbV2KNL8dC9TO', 'jBQxblwueNcd01bwF0d8OHwlr1FFL32', 'DK7dv84vaZIzUWLkljXYRsgtl2JmFc6', 'WaxLR0sqXoIPzoMu91Boe8hzh7EaW0z', 'cZKh39JIUQn9kJXDoNgi5yfVlokWVJj'
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeMemory allocated: 1AB60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeWindow / User API: threadDelayed 9162Jump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeWindow / User API: threadDelayed 664Jump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exe TID: 6028Thread sleep time: -14757395258967632s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exe TID: 5812Thread sleep count: 9162 > 30Jump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exe TID: 5812Thread sleep count: 664 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: uPt3XcHAIA.exe, 00000000.00000002.4757692302.0000000000E03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

            Anti Debugging

            barindex
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeMemory allocated: page read and write | page guardJump to behavior
            Source: uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager26
            Source: uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, uPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeQueries volume information: C:\Users\user\Desktop\uPt3XcHAIA.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: uPt3XcHAIA.exe, 00000000.00000002.4757692302.0000000000E03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\uPt3XcHAIA.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: uPt3XcHAIA.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.uPt3XcHAIA.exe.920000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4760685747.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uPt3XcHAIA.exe PID: 800, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: uPt3XcHAIA.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.uPt3XcHAIA.exe.920000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4760685747.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uPt3XcHAIA.exe PID: 800, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Process Injection
            1
            Disable or Modify Tools
            OS Credential Dumping221
            Security Software Discovery
            Remote Services11
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            232
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection
            Security Account Manager232
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing
            LSA Secrets13
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1600635 Sample: uPt3XcHAIA.exe Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 10 other signatures 2->17 5 uPt3XcHAIA.exe 2 2->5         started        process3 dnsIp4 9 176.113.115.225, 4444, 49723 SELECTELRU Russian Federation 5->9 19 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 5->19 21 Found potential dummy code loops (likely to delay analysis) 5->21 signatures5

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            uPt3XcHAIA.exe69%VirustotalBrowse
            uPt3XcHAIA.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            uPt3XcHAIA.exe100%AviraHEUR/AGEN.1305769
            uPt3XcHAIA.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            176.113.115.2250%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            176.113.115.225true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuPt3XcHAIA.exe, 00000000.00000002.4760685747.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              176.113.115.225
              unknownRussian Federation
              49505SELECTELRUtrue
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1600635
              Start date and time:2025-01-27 19:46:11 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 10s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:15
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Sample name:uPt3XcHAIA.exe
              renamed because original name is a hash value
              Original Sample Name:50bfc65f3fe6da315552cec46f02127ed91ddae075d6167f3c76606686cd1708.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@0/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 86%
              • Number of executed functions: 47
              • Number of non-executed functions: 1
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption
              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.190.159.73, 20.223.36.55, 20.12.23.50, 2.21.65.154, 150.171.27.10, 2.23.242.162
              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target uPt3XcHAIA.exe, PID 800 because it is empty
              TimeTypeDescription
              13:47:26API Interceptor12643716x Sleep call for process: uPt3XcHAIA.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              176.113.115.225qlGJTKUY7O.exeGet hashmaliciousXWormBrowse
                176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SELECTELRUqlGJTKUY7O.exeGet hashmaliciousXWormBrowse
                  • 176.113.115.225
                  176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                  • 176.113.115.225
                  p199AjsEFs.exeGet hashmaliciousAmadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, StealcBrowse
                  • 176.113.115.163
                  VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                  • 176.113.115.96
                  grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  random.exeGet hashmaliciousAmadey, Socks5SystemzBrowse
                  • 176.113.115.96
                  random.exeGet hashmaliciousSocks5SystemzBrowse
                  • 176.113.115.96
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.955497874352868
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:uPt3XcHAIA.exe
                  File size:56'832 bytes
                  MD5:652eb7df5ebb74a48f6d7ad357600fc0
                  SHA1:79ea7d68bcbd37946f326edd417f5b91833818a7
                  SHA256:50bfc65f3fe6da315552cec46f02127ed91ddae075d6167f3c76606686cd1708
                  SHA512:ce850ed3b755526d86bc0d398d556dd33987fa27a1b0e830bfbb4a8a0268a44f62662ee6bf1231571cf461c21428f1933785b35f3ebe2a5eab0a6f3903a9fbea
                  SSDEEP:1536:b5KQvE0Z2J8hY2LZje1xXiyNPkbERvEVc8BO9nHn:dKQ838htC1xXkbE7sO9H
                  TLSH:A6436C1837B64127D5FF9FB418F23213D67AB723A412EA5F28C541862B17A8CCD912F6
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.g............................n.... ........@.. .......................@............@................................
                  Icon Hash:00928e8e8686b000
                  Entrypoint:0x40f26e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x679270D9 [Thu Jan 23 16:39:53 2025 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf2200x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x4ce.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xd2740xd400b7405d31711236f0e57e5ae179990193False0.6131522700471698data6.053995047071589IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x100000x4ce0x600b6854ead75e0aea5a0ec3175723e462fFalse0.3736979166666667data3.7184457289766475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x120000xc0x2006337b9e9d5046d21cbc9e9adf359daaaFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x100a00x244data0.4724137931034483
                  RT_MANIFEST0x102e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                  DLLImport
                  mscoree.dll_CorExeMain

                  Download Network PCAP: filteredfull

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-27T19:47:39.631416+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:47:39.849409+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:47:39.992320+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:47:52.131264+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:47:52.135913+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:47:57.039305+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:47:57.039305+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:04.402459+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:04.404846+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:16.686320+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:16.688351+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:27.151743+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:27.163187+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:28.964727+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:29.004969+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:34.042496+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:34.050656+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:35.714190+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:35.716105+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:35.835733+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:35.838458+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:35.958312+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:35.963718+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:36.080554+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:36.197200+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:36.198995+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:36.318896+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:36.320892+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:36.441272+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:36.446938+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:37.080337+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:37.299149+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:37.308339+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:43.199146+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:43.200985+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:55.485317+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:55.491176+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:48:56.948742+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:58.090441+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:48:58.092835+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:01.855424+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:01.857547+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:01.977426+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:01.979620+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:02.097504+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:02.099888+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:02.246038+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:02.251412+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:05.043384+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:05.046752+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:05.731384+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:05.733835+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:16.467237+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:16.469716+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:17.408738+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:17.411446+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:20.199269+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:20.201262+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:22.588865+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:22.591022+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:23.667111+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:23.669746+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:26.955923+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:27.839320+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:27.842622+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:30.043362+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:30.046263+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:30.590204+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:30.592880+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:37.964953+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:37.970446+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:38.104743+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:38.106735+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:38.606216+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:38.610620+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:40.464737+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:40.466864+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:41.669930+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:41.672149+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:48.391758+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:48.394206+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:48.513115+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:48.515518+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:55.652066+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:55.654784+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:49:56.960052+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:58.714945+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:49:58.716661+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:01.326127+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:01.330588+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:03.948546+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:03.950418+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:04.069877+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:04.072294+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:09.543453+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:09.546670+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:14.389004+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:14.396493+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:14.510962+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:14.512766+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:14.793515+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:14.799127+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:14.921011+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:15.039625+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:15.044517+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:19.729732+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:19.732916+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:20.123457+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:20.127013+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:20.288518+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:20.291043+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:25.776654+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:25.779392+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:26.949859+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:33.011407+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:33.013795+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:41.552795+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:41.558882+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:50.741885+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:50.782118+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:55.091448+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:50:55.094978+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:50:56.956385+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:07.637616+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:07.640451+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:07.880853+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:14.394012+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:14.397229+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:26.659458+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:26.662682+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:26.970512+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:27.277260+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:27.279211+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:27.870800+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:28.586024+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:28.966439+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:28.967354+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:41.789173+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:41.790066+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:53.390592+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  2025-01-27T19:51:53.391791+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649723176.113.115.2254444TCP
                  2025-01-27T19:51:56.977164+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.649723TCP
                  TimestampSource PortDest PortSource IPDest IP
                  Jan 27, 2025 19:47:27.122915983 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:27.129201889 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:27.129324913 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:27.351229906 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:27.357060909 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:39.631416082 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:39.638252020 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:39.849409103 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:39.904586077 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:39.992320061 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:39.997260094 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:51.905112028 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:51.910790920 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:52.131263971 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:52.135912895 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:47:52.141076088 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:57.039304972 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:47:57.092583895 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:04.186405897 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:04.192800045 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:04.402458906 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:04.404845953 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:04.409764051 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:16.468311071 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:16.476353884 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:16.686320066 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:16.688350916 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:16.694726944 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:27.151742935 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:27.163187027 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:27.163899899 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:28.748790979 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:28.753690958 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:28.964726925 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:29.004968882 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:29.009912968 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:33.827416897 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:33.832237959 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:34.042495966 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:34.050656080 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:34.055516958 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.498903036 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.503700018 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.514333963 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.519113064 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.577064991 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.581849098 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.608135939 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.612982035 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.623713970 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.628503084 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.639631987 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.644414902 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.670653105 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.675425053 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.701916933 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.706682920 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.714190006 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.716104984 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.762986898 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.764682055 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.769505024 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.835732937 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.838458061 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.843290091 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.956193924 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.958312035 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.963673115 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.963717937 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:35.969207048 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:35.998814106 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.004812956 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.030148983 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.038723946 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.061492920 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.069001913 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.078035116 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.080554008 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.127039909 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.127218008 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.132850885 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.197200060 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.198995113 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.203880072 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.318896055 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.320892096 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.325953960 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.439376116 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.441272020 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.446892977 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:36.446938038 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:36.454371929 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:37.080337048 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:37.089032888 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:37.299149036 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:37.308339119 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:37.316025019 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:42.983371019 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:42.988164902 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:43.199146032 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:43.200984955 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:43.205873013 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:55.264564991 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:55.273013115 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:55.485316992 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:55.491175890 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:55.496002913 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:56.948741913 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:57.139230967 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:57.874012947 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:57.880470991 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:58.090440989 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:48:58.092834949 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:48:58.099798918 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.639770985 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.644797087 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.717735052 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.722567081 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.748965979 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.753928900 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.780384064 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.785449028 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.811580896 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.816569090 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.855423927 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.857547045 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.903090000 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.977426052 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:01.979619980 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:01.987114906 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:02.097503901 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:02.099888086 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:02.104741096 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:02.217992067 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:02.246037960 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:02.251354933 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:02.251411915 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:02.256154060 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:04.826952934 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:04.834009886 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:05.043384075 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:05.046751976 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:05.051723003 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:05.502734900 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:05.507630110 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:05.731384039 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:05.733834982 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:05.738681078 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:16.249485016 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:16.254491091 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:16.467236996 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:16.469716072 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:16.477253914 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:17.170664072 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:17.175594091 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:17.408737898 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:17.411446095 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:17.416259050 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:19.983146906 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:19.988111973 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:20.199269056 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:20.201261997 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:20.206176043 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:22.373855114 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:22.378709078 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:22.588865042 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:22.591022015 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:22.595985889 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:23.452019930 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:23.456850052 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:23.667110920 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:23.669745922 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:23.674601078 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:26.955923080 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:26.999286890 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:27.624164104 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:27.629035950 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:27.839319944 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:27.842622042 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:27.847440004 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:29.827146053 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:29.832221031 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:30.043361902 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:30.046262980 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:30.051107883 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:30.373944998 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:30.379486084 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:30.590204000 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:30.592880011 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:30.597759008 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:37.749057055 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:37.754929066 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:37.889472008 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:37.895853043 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:37.964952946 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:37.970446110 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:37.975728989 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:38.104743004 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:38.106734991 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:38.111610889 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:38.389456987 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:38.395497084 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:38.606215954 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:38.610620022 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:38.615802050 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:40.249058962 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:40.254103899 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:40.464736938 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:40.466864109 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:40.472568989 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:41.454539061 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:41.461280107 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:41.669929981 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:41.672148943 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:41.678172112 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:48.170787096 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:48.176692009 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:48.295815945 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:48.300666094 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:48.391757965 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:48.394206047 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:48.399089098 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:48.513114929 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:48.515517950 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:48.520431042 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:55.436517954 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:55.441472054 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:55.652065992 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:55.654783964 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:55.659686089 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:56.960052013 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:57.016475916 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:58.499396086 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:58.504673004 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:58.714945078 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:49:58.716660976 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:49:58.721750021 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:01.111016035 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:01.116003036 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:01.326127052 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:01.330588102 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:01.336571932 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:03.686496973 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:03.691644907 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:03.702418089 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:03.707297087 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:03.948545933 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:03.950417995 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:03.957179070 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:04.069876909 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:04.072293997 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:04.078495979 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:09.326992035 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:09.332751036 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:09.543452978 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:09.546669960 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:09.551465988 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.155209064 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.162918091 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.186646938 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.194786072 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.389003992 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.396492958 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.401386023 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.452438116 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.457300901 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.483516932 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.488778114 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.498965025 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.504224062 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.510962009 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.512765884 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.563060999 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.563162088 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.567923069 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.577646017 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.582551003 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.704519033 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.709356070 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.793514967 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.799127102 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.803988934 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.918766022 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.921010971 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.927973986 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:14.928114891 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:14.934099913 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:15.039624929 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:15.044517040 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:15.049515009 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:19.514765024 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:19.519593000 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:19.729732037 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:19.732916117 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:19.737740040 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:19.748867035 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:19.760085106 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:19.780375004 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:19.786632061 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:20.123456955 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:20.127012968 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:20.132375956 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:20.288517952 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:20.291043043 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:20.299473047 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:25.561435938 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:25.566899061 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:25.776654005 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:25.779392004 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:25.785542965 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:26.949858904 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:26.998971939 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:32.795901060 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:32.800693035 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:33.011406898 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:33.013794899 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:33.018714905 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:41.316554070 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:41.321537018 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:41.552794933 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:41.558881998 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:41.563757896 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:50.524239063 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:50.529259920 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:50.741884947 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:50.782118082 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:50.787157059 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:54.875575066 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:54.880542994 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:55.091448069 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:55.094978094 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:50:55.101696014 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:56.956384897 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:50:56.999582052 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:07.155507088 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:07.160357952 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:07.637615919 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:07.640450954 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:07.880852938 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:07.881077051 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:07.882443905 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:14.155361891 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:14.160250902 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:14.394011974 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:14.397228956 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:14.404582977 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:26.443536043 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:26.448405981 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:26.659457922 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:26.662682056 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:26.667515993 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:26.970511913 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:27.061270952 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:27.061800003 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:27.066548109 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:27.277260065 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:27.279211044 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:27.284698963 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:27.655340910 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:27.660341024 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:27.870800018 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:28.062915087 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:28.586024046 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:28.591655016 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:28.592731953 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:28.597515106 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:28.966439009 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:28.967354059 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:28.972292900 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:40.874546051 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:41.186387062 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:41.555586100 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:41.555594921 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:41.789172888 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:41.790066004 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:41.795006990 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:53.155405045 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:53.161398888 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:53.390592098 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:53.391791105 CET497234444192.168.2.6176.113.115.225
                  Jan 27, 2025 19:51:53.396661043 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:56.977164030 CET444449723176.113.115.225192.168.2.6
                  Jan 27, 2025 19:51:57.030000925 CET497234444192.168.2.6176.113.115.225
                  050100150200s020406080100

                  Click to jump to process

                  050100150200s0.00102030MB

                  Click to jump to process

                  • File
                  • Registry
                  • Network

                  Click to dive into process behavior distribution

                  Target ID:0
                  Start time:13:47:22
                  Start date:27/01/2025
                  Path:C:\Users\user\Desktop\uPt3XcHAIA.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\uPt3XcHAIA.exe"
                  Imagebase:0x920000
                  File size:56'832 bytes
                  MD5 hash:652EB7DF5EBB74A48F6D7AD357600FC0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2313202746.0000000000922000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4760685747.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Executed Functions

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: 5c93aaea39c982ed2181d79dd38ff6af194e19d6a84a5377b4e390f78d4ca815
                  • Instruction ID: 9e214521a4e54d6f298d7264a4bc4855cf2ebcb1cc5477b4a3e9415b6df2f7e8
                  • Opcode Fuzzy Hash: 5c93aaea39c982ed2181d79dd38ff6af194e19d6a84a5377b4e390f78d4ca815
                  • Instruction Fuzzy Hash: 70829434B1C90A4BEB94EB6888E567977D2EF99310F558578D10ED32C3DE2EF8029741
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3409c969cbd3e83aef1f5ded3d037c5d014259f54782f954c47c9263c54a7b31
                  • Instruction ID: 637ee82a4142501255080ebb5800c826324384e947072aa2b0d070b0f0b88782
                  • Opcode Fuzzy Hash: 3409c969cbd3e83aef1f5ded3d037c5d014259f54782f954c47c9263c54a7b31
                  • Instruction Fuzzy Hash: 75F1C830608A4D8FEBA8DF28CC557E97BD1FF55310F04826EE84DD7292CB39A9459B81
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46b768cf42a7ddd2f57e8add70eb7a5881941157e94b5689941276554c2b438f
                  • Instruction ID: 557a44864ecfd9a98a8ee5b5b690513d1f37c2148edc02d0d97690b6b8c601eb
                  • Opcode Fuzzy Hash: 46b768cf42a7ddd2f57e8add70eb7a5881941157e94b5689941276554c2b438f
                  • Instruction Fuzzy Hash: 61E1A730608A4E8FEBA8DF28C8557E97BD1FB95310F04827EE84DD7291DF79A5418B81
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID: L_^
                  • API String ID: 0-925995230
                  • Opcode ID: 8027156222175df5effadb198416d71e0fd1f21b1b8d8dd35d7dd7590e35f3b8
                  • Instruction ID: 36c891026e1d194d3036659d00df1b2b4f62bb95cf9e0730d95fa2ac84bee388
                  • Opcode Fuzzy Hash: 8027156222175df5effadb198416d71e0fd1f21b1b8d8dd35d7dd7590e35f3b8
                  • Instruction Fuzzy Hash: 3531C0A6A0CA8A4FE75197688CA51FA7FF1FF46250F0440B7C959E72D3DD2E28069341
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: d0bd1f7c8674b6ab887441930ca5f71b92d76bd90da0ec49bf67b5ab3ef79786
                  • Instruction ID: 1377c071e18d17ea1df2de416dd6091cb8edaa2f2563102e68e32d7aaed348e3
                  • Opcode Fuzzy Hash: d0bd1f7c8674b6ab887441930ca5f71b92d76bd90da0ec49bf67b5ab3ef79786
                  • Instruction Fuzzy Hash: 1871D435B1CA494FEB54EB7898A96F97BE1EF5A310F14417AE00EE3293CD2D6841C741
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: 34a8347cf558f688710c953c05d464f3df067ceb5c7cb474acbaa7cd2229aa37
                  • Instruction ID: 85a30dcb89d8bdd31e99208cf9bbacda3f57877dc7c460aa3f82997d1d9ef5fe
                  • Opcode Fuzzy Hash: 34a8347cf558f688710c953c05d464f3df067ceb5c7cb474acbaa7cd2229aa37
                  • Instruction Fuzzy Hash: 4451CA71B18A0D4FEB94EB68C8A96BDB7E1FF59350F144179E00EE3292CE29AC41C740
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4d]H
                  • API String ID: 0-1723939245
                  • Opcode ID: 4ef46ab66e285ad330de50c4c1f345cf1d51d2f99870501307cedcd858e06e77
                  • Instruction ID: 1c183a937fa58104b5752d659a326403f514675309a3002bc4e6014b2e80a39e
                  • Opcode Fuzzy Hash: 4ef46ab66e285ad330de50c4c1f345cf1d51d2f99870501307cedcd858e06e77
                  • Instruction Fuzzy Hash: FA310929F0C2464BF764677448B62BD3A92AF97350F5480B5D10DE73C3DE2EA842A391
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID: d
                  • API String ID: 0-2564639436
                  • Opcode ID: cf8fa1cfa3de56749186d8c114533076cc495f04ed2126b5cacae89f84bf7cdf
                  • Instruction ID: 4f961b7956473b8c0d510edf310ad766281887491cfa7d1b310440938d375799
                  • Opcode Fuzzy Hash: cf8fa1cfa3de56749186d8c114533076cc495f04ed2126b5cacae89f84bf7cdf
                  • Instruction Fuzzy Hash: FE210431D0CA5A4FEB019BA4CC956F9BFE0EF96310F0540BBD549E3293CA6DA840C792
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID: FN_H
                  • API String ID: 0-2686185486
                  • Opcode ID: c377e7ec7012cbc0bbf4f99a920b165f3879b4f44ddc461075acc0469faa8257
                  • Instruction ID: ea78558f40add2af456e675accc39a288cc2ca8eb6e956c1ca68015d5891d2a5
                  • Opcode Fuzzy Hash: c377e7ec7012cbc0bbf4f99a920b165f3879b4f44ddc461075acc0469faa8257
                  • Instruction Fuzzy Hash: A801B16994E2C66FEB4367341C610A67FA4DF43224B4984FBE1C9CB1D3E91E181AD352
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e62dd72ebf2e86e1f355a80f3567294a86dd0e5e12cfba3942b1a15f0b8c281e
                  • Instruction ID: 510783204d8a110450742b8ddaefd59984ca47fbc0250d528a54c9492cd90e92
                  • Opcode Fuzzy Hash: e62dd72ebf2e86e1f355a80f3567294a86dd0e5e12cfba3942b1a15f0b8c281e
                  • Instruction Fuzzy Hash: C5D1AE66F0CA8A4FE769972848B92B97BD1FF96350F08417AD54DE72C3CD2DAC028350
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c25e619bd3ffed471f8a9fbf462335cee359f39578c1e9e35eca87bb9aa38a8
                  • Instruction ID: 0e2b6882120204382ccb245e0fca6266d163442784b047898d28db396543c16c
                  • Opcode Fuzzy Hash: 4c25e619bd3ffed471f8a9fbf462335cee359f39578c1e9e35eca87bb9aa38a8
                  • Instruction Fuzzy Hash: 78D15975B1CA1A8FE794EF2C84E86A47BE1FF59354B044579E00DD72D2CE29B801CB80
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b7409b6d1552af8ae998b0616381514c471a2f71480a88857c055724490f91fc
                  • Instruction ID: 7f307addacbe2e5f9ed0d7973cc7d352f02a07c5e69e95c071d5f5e186e4079a
                  • Opcode Fuzzy Hash: b7409b6d1552af8ae998b0616381514c471a2f71480a88857c055724490f91fc
                  • Instruction Fuzzy Hash: EFC18C62B0DA8A4FE769972848B92797BD1FF96340F04417AD54DD72C7CD2DAC028351
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6222554fe0705c978ce1d6ad8cd025bf00970d1650af0c6496918bf657c903fa
                  • Instruction ID: ad73c1ad5e4c26602447024786eacd118af46b6acd9aa60c0e458aedbb49b26c
                  • Opcode Fuzzy Hash: 6222554fe0705c978ce1d6ad8cd025bf00970d1650af0c6496918bf657c903fa
                  • Instruction Fuzzy Hash: 12B1C83060CA4D8FEB68DF28D8557E93BD1FF55310F04826EE84DC7292CA39A945CB82
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb121a1e97c6f2e5c477be9d6cd3e48344af8d7313a33be1a38ef0e165e3f02f
                  • Instruction ID: aa3fa7c411e442eefa88cc3e5bff9befcdb87111e688b70828951d511b6c3951
                  • Opcode Fuzzy Hash: cb121a1e97c6f2e5c477be9d6cd3e48344af8d7313a33be1a38ef0e165e3f02f
                  • Instruction Fuzzy Hash: 5D21CE66A0CA8A4FE7519B688CB51FA7FB1FF46250F0441BBD859E72D3DD2E28029341
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8373ec9987269ccb1f019977401ea79b44f2c09de12dd14ddf48ec3f9c06f8f4
                  • Instruction ID: da35708576787a2af4fa433be25db16427cb7b441482c2e6685df7243f34f09b
                  • Opcode Fuzzy Hash: 8373ec9987269ccb1f019977401ea79b44f2c09de12dd14ddf48ec3f9c06f8f4
                  • Instruction Fuzzy Hash: 8321E066A0CA8A4FEB5197688CB51FA7FB1FF46250F0441B7D849E72D3DD2E28119341
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c01c7f94c1ed5e7e763bf903bf5c3b7bed50d4450aa264f8d23292819d2947c
                  • Instruction ID: d8b3e32f0ac078adff5c9bf81a3a7e5378ec4979944a3d8bd902f9a263043040
                  • Opcode Fuzzy Hash: 3c01c7f94c1ed5e7e763bf903bf5c3b7bed50d4450aa264f8d23292819d2947c
                  • Instruction Fuzzy Hash: 13913675F0DA4A4FE758E76888E62A47BD0EF56310F0482BAD50CD31D3DE2DA8468381
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5d62224f94a556df30f2f59a31d311006fe524bf02d96a7b9d893b231f78877e
                  • Instruction ID: 44ca10c6a8b9f4e9424ad2b46d7d87e40547abd3a7ee554a7e44d7108564d11b
                  • Opcode Fuzzy Hash: 5d62224f94a556df30f2f59a31d311006fe524bf02d96a7b9d893b231f78877e
                  • Instruction Fuzzy Hash: 79619434A08A1C8FDB68DF58D8557EDBBF1FF99311F10826AD44DE3252CA75A842CB81
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 43390a610942948043649662505c433703b0b5314608c0bde97d4dabc623c347
                  • Instruction ID: 5ca745078cbc4b81628e8c524c3b1e7f76ec95743ce13c7496448f12203b6da6
                  • Opcode Fuzzy Hash: 43390a610942948043649662505c433703b0b5314608c0bde97d4dabc623c347
                  • Instruction Fuzzy Hash: A9512765B19A4A4FEBA4EB6858BD1BD7FD1FF8A240B404579E00ED31C3DD2DA8158350
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8f73699af81c6372b5347392557cc8c34cc8decaab7a93d54c7e57f5beb1f59
                  • Instruction ID: f5fc612f03833f31ba67c3a1accf5efd0115f86d1e650262ee3dff01e7127dcc
                  • Opcode Fuzzy Hash: d8f73699af81c6372b5347392557cc8c34cc8decaab7a93d54c7e57f5beb1f59
                  • Instruction Fuzzy Hash: 4351A530B199199FEB98EB68D8A56B87BF1FF8A300F0445B9E50DD3293CE2D6841D741
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a86a146298e2ca220e17feee36960ea0e445cda9f945887a15b7ec08f05e0a9c
                  • Instruction ID: 0d4fa76b2a7171a224e7252f276ef026117ca17acf706f07c2c4601a730b2da1
                  • Opcode Fuzzy Hash: a86a146298e2ca220e17feee36960ea0e445cda9f945887a15b7ec08f05e0a9c
                  • Instruction Fuzzy Hash: 16610434E0C6864FEB56977488A22B97FE1EF57320F1842B9C059E72D3DE2D6806C752
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90f83da7e471fe073adada2bb56d868f42f67de3ca9b610450abd222745a04e4
                  • Instruction ID: 7f3d9f38a94806d72d634b31ccb8785af42142b0f0a1f8010efe7c3107c31bfa
                  • Opcode Fuzzy Hash: 90f83da7e471fe073adada2bb56d868f42f67de3ca9b610450abd222745a04e4
                  • Instruction Fuzzy Hash: 7E518271908A1C8FDB68DB58D855BE9BBF1FF59310F0082AAD04DE3252CE34A985CB81
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 22616b7721f248d37e8a6e7c376344a87a4f84f12f2ff46cd538697b1c96b706
                  • Instruction ID: 6d98df4e3138259bfd997d553097e5d1d99544ff0fbf09b15db9be1e75ad8471
                  • Opcode Fuzzy Hash: 22616b7721f248d37e8a6e7c376344a87a4f84f12f2ff46cd538697b1c96b706
                  • Instruction Fuzzy Hash: D9512430A0CA598FE718DF68D8A56B97FE0EF56320F04817ED04DD7293DB29A856CB41
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c687e8253fe01de10962f41043a7091e880656248582b7b0d67befc513566572
                  • Instruction ID: b93f1b208249214ea71e9fe2db910dc2aee84c8eeed544e63d5b9b9cbbc34750
                  • Opcode Fuzzy Hash: c687e8253fe01de10962f41043a7091e880656248582b7b0d67befc513566572
                  • Instruction Fuzzy Hash: AF517334A08A1C8FDB58DF58D8557EDB7F1FF98311F10426AD44DE3256CA74A8418F81
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 15ac9037b660b3307b055e6b604b6d77973515b21b6135b898eeba4d5e5d7810
                  • Instruction ID: 98ca342c2d70349ea38b1350c7ca3371417753be1ac4adb9cd9fac1708dad3da
                  • Opcode Fuzzy Hash: 15ac9037b660b3307b055e6b604b6d77973515b21b6135b898eeba4d5e5d7810
                  • Instruction Fuzzy Hash: 18517074608A5D8FDB98EF68C8A5BB97BE0FF55301F14417ED00AD3692CB3AA841CB41
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72e4299d557cc3d5fbada242110ce505401838b9bb84a13aa0e9bc6be5b31760
                  • Instruction ID: 810e8384aaffe678ef104653da3b774d5bcf76843f79bd643989acb525d24be9
                  • Opcode Fuzzy Hash: 72e4299d557cc3d5fbada242110ce505401838b9bb84a13aa0e9bc6be5b31760
                  • Instruction Fuzzy Hash: 1041062170DA890FE795A76C48693B97BD2EF9A225F0801FFE04DD72A3CD589C068341
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 44d35da4c611b12a6962f840e73c946f8b67100226c4486010275fae29bb5ca9
                  • Instruction ID: 77f8821092d6329a2a72e52c3f79ecc51d6465a176da211905218d7c797cd197
                  • Opcode Fuzzy Hash: 44d35da4c611b12a6962f840e73c946f8b67100226c4486010275fae29bb5ca9
                  • Instruction Fuzzy Hash: 0631D721B19A490FE798FB6C9869779B6C2EF99315F0401BEE04ED32D3DD689C428341
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d896e2d1b4304b21e9f47e417cdbe0d2987d9e68a7ddc58168a3da64fa47c736
                  • Instruction ID: c01a5e563a0b1c755323f5839dfcaa21b0818a9a2eed8e62147322a34924081b
                  • Opcode Fuzzy Hash: d896e2d1b4304b21e9f47e417cdbe0d2987d9e68a7ddc58168a3da64fa47c736
                  • Instruction Fuzzy Hash: 22418171B089094FEF84EB6C88A96BDBBE2FF59301B04457AD50DE3292DE39A841C741
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af4c9583416566ce9344fdc30ee77ba4594ba080a42d6fa64f8162977dc6d76d
                  • Instruction ID: 893a0da4943c65e1e02e7f3bf6ebac65da66f1d716a92f87201a9322e73a78d0
                  • Opcode Fuzzy Hash: af4c9583416566ce9344fdc30ee77ba4594ba080a42d6fa64f8162977dc6d76d
                  • Instruction Fuzzy Hash: DF31E615B18A0D4FFB94B7AC5C6A3BD7BD6EF99351F0442BAE00DD3293DE18A8019391
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b5f1b737017c08c977ffe6d8b140b802e98b73388f838badf9a6e3e350058ac
                  • Instruction ID: ed24f77775dcc35aab4700a1ba99a7c6e9af4074e54f18218dd00db64c0bfd6f
                  • Opcode Fuzzy Hash: 4b5f1b737017c08c977ffe6d8b140b802e98b73388f838badf9a6e3e350058ac
                  • Instruction Fuzzy Hash: 5341D334B1964E8FEB54EBB888A56B97BB2FF89300F544579D008E3283CE39A814C750
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d660db78b277e35097b179b0940c30a5ed82339c5ee1bca0f2c9f1a1ca14a06
                  • Instruction ID: 34cb308ab4925f5490241a8a544493c81b3fd134b0a08c7f0df0bbdda4938134
                  • Opcode Fuzzy Hash: 0d660db78b277e35097b179b0940c30a5ed82339c5ee1bca0f2c9f1a1ca14a06
                  • Instruction Fuzzy Hash: F831C315B18D0E4BFBA4B7AC586E3BD76D7FB98751F0402BAE00DD3293DD68A8019391
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 85f98cbfa24fbd5a521b764622a60a8bfc6f5bed59ae3af33a6899d3183a5644
                  • Instruction ID: 07d1aa6fdc7eded801df64626a2b57bc1ff23275632ee52463372838375c34c9
                  • Opcode Fuzzy Hash: 85f98cbfa24fbd5a521b764622a60a8bfc6f5bed59ae3af33a6899d3183a5644
                  • Instruction Fuzzy Hash: 0E31A13150C7488FDB15DBA8D889BEABBF0EF56320F0482AFD089C7552D764A406CB51
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4161439adc0c5a1b8c244ee625f30b459af20db33dd6ab320ecf9b4f19e4d5a
                  • Instruction ID: def74b96aef1af30a4bacb60e4959e1a92cdde86cefcf36beb57354e97d76282
                  • Opcode Fuzzy Hash: c4161439adc0c5a1b8c244ee625f30b459af20db33dd6ab320ecf9b4f19e4d5a
                  • Instruction Fuzzy Hash: 8F31E43064DA899FDB46EB3CC8A5A697BF0EF1A350B0401A6D448C72E3DE39A841C791
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9f681c493e3831103670a3070c615f384ffe6174bada0d7cf223c313a6e8ac99
                  • Instruction ID: f823656f8cf8acad14d3e854d6d8a1dd0fa6b431635bdda6424bb0259b6b41b8
                  • Opcode Fuzzy Hash: 9f681c493e3831103670a3070c615f384ffe6174bada0d7cf223c313a6e8ac99
                  • Instruction Fuzzy Hash: 92219570908B0C8FDB68DF98D849BFABBF1EB55310F00422ED04AD3652DA756405CF51
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25fd427854de8fd3b9887c5f3c01f38cca144f3a95266cf9f4679e2f0bd7baec
                  • Instruction ID: bb3d87754c04c1bff794a021375f054ec53f5fcd7549c0cc0c0067d4f5bd5f06
                  • Opcode Fuzzy Hash: 25fd427854de8fd3b9887c5f3c01f38cca144f3a95266cf9f4679e2f0bd7baec
                  • Instruction Fuzzy Hash: 50214335B0CA4D4FEF50EBA898961ADBBE0FB96320B0402B7D50CD3192DE2DA8558781
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ba3d1279622b27f6d329d59a70f07c7b6cb105688e7531b6e298fdd19f813340
                  • Instruction ID: 438066f4014d6221dd948ac3dd5846e1028782adf11908986baa6a3eef946a83
                  • Opcode Fuzzy Hash: ba3d1279622b27f6d329d59a70f07c7b6cb105688e7531b6e298fdd19f813340
                  • Instruction Fuzzy Hash: B321F014B1CA5A4BEB55B7AC98767B97BD2EB89300F5402B5E00DD32D3CD1D68108392
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 641ca7c6de57099e0744308405010d26c1870cfa765da27018fe7e4529466732
                  • Instruction ID: 261ad2a1925fee576d58ee4d6aedf7bb9ab18252c18c1c61f496bed862b7b3b4
                  • Opcode Fuzzy Hash: 641ca7c6de57099e0744308405010d26c1870cfa765da27018fe7e4529466732
                  • Instruction Fuzzy Hash: B421E734B4D68A1FE7459B644C625FA7FE1EF8B200F0481B6E189C3193CD1D98029B52
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dd2ab9a21075cbfffd6d5162e968e7e701b488894fa7ff8934b8234e64fc313e
                  • Instruction ID: 47c95e709ea43e45853bc6ff597b88809b7c26ddf0b1c7bb095f496a02d7f6f5
                  • Opcode Fuzzy Hash: dd2ab9a21075cbfffd6d5162e968e7e701b488894fa7ff8934b8234e64fc313e
                  • Instruction Fuzzy Hash: 010122B190868E4FD759DF2888A91B93FE0EB6A200B4840BFC449E72A2CA3954108300
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b1e699415242fb566798f163be149ccb9b375a9e0ed71c860bbd8348ab4c0c6e
                  • Instruction ID: ecd88dba394210dfdaff2c8e96b8fb717ccd492e2bcd1ba558185eea2e7a9af5
                  • Opcode Fuzzy Hash: b1e699415242fb566798f163be149ccb9b375a9e0ed71c860bbd8348ab4c0c6e
                  • Instruction Fuzzy Hash: 4401285FB08A1607E754A6285CA54F93BE1DF923A07080132E908E7193DD0DA9425241
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6e557801227e0fe07e1d50812f44781a7fe2b236c2a889ca4a3c19f735a3180
                  • Instruction ID: 1bd2d07b6973dc3f24fc37470b2275aed45673ad519e2a7bbf46efe78be4e906
                  • Opcode Fuzzy Hash: a6e557801227e0fe07e1d50812f44781a7fe2b236c2a889ca4a3c19f735a3180
                  • Instruction Fuzzy Hash: CA016272E08A8C0FDB41ABA8886A1FD7BF0FF59310F4002A7C008D31A3DF29A8049381
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 624804962b78e14553373bfc81914a9c5b88545ae229e05cf245bbe220429d23
                  • Instruction ID: 668e22bc8d42ca9c2dd034a1b1421d99c07216e48e9eab10c7a0704b8d40848d
                  • Opcode Fuzzy Hash: 624804962b78e14553373bfc81914a9c5b88545ae229e05cf245bbe220429d23
                  • Instruction Fuzzy Hash: DF012846A0D7950FE752A2385CB54B93FF09F83250B0C44B7E988DA2E3DC0CA8449352
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e293fe5b5194b01f0fa08037cb5c19e5ddc93859badf8900a5d47b451a8f7e69
                  • Instruction ID: 20eef621e73ba1b03c5851ca51afd17c6238a1233da8c7e62b7704e46642d146
                  • Opcode Fuzzy Hash: e293fe5b5194b01f0fa08037cb5c19e5ddc93859badf8900a5d47b451a8f7e69
                  • Instruction Fuzzy Hash: 7F01D665B189074AE75CB7784CE62B57691FF16315F404679D90EE20D3DD1EB406C2D0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4aae45f92e29df1afff12f689993ef9b098e76f1b14bd6c951dcd8cf0ab5a696
                  • Instruction ID: d2517533b20f7c8af8451d08d1779ed31990c17de62e4efdb6d3b18146e60857
                  • Opcode Fuzzy Hash: 4aae45f92e29df1afff12f689993ef9b098e76f1b14bd6c951dcd8cf0ab5a696
                  • Instruction Fuzzy Hash: 2BF02218F0D68A4FF765637808BA2782E92AF56340F4440F9D20DD72C3DE5E6801A301
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b6f262d6145d07f3e198e0630e26dfa70b194c7666f0e84a382b97fc72b7bc0
                  • Instruction ID: 7f96f94ad4959b86ec666f3a69b37233c63da4eb6b51160277c467670181b36c
                  • Opcode Fuzzy Hash: 5b6f262d6145d07f3e198e0630e26dfa70b194c7666f0e84a382b97fc72b7bc0
                  • Instruction Fuzzy Hash: 83F0A435E0C5064BF365DB15C8A16787BA2AF56360F508635D10DE72C3DE3EB891A780
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 71603dcf9628234875228b3fd2b565f4b09d5c42aa45b33bf80eecf22cdfeb6b
                  • Instruction ID: 52614573b07431086019ca303f11e13c6f8aaf52126f3a2b66585bd2e2c3cd8d
                  • Opcode Fuzzy Hash: 71603dcf9628234875228b3fd2b565f4b09d5c42aa45b33bf80eecf22cdfeb6b
                  • Instruction Fuzzy Hash: 9CE0263980C3C84FDB125B1408620E93FA0EF16200F4511CAE50886143E62A99048383
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 594684a0c99934a08c6812e4f6ebc34eff97f8c94f3e58a1a5e0feece4c1ae82
                  • Instruction ID: 77603db8fe791301ba99e65cee874c554806e04fe8be9b63338a6028fd57ba6f
                  • Opcode Fuzzy Hash: 594684a0c99934a08c6812e4f6ebc34eff97f8c94f3e58a1a5e0feece4c1ae82
                  • Instruction Fuzzy Hash: 63E0867584E7CD4EDB1267244C610D97FA0EF13200B4951D7D598C7053E55E4519C392
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4543ba48cad8328d3a84b1ebaeedb1f465cbd9892f5d05173ac5f92f47281ff
                  • Instruction ID: b26682eb98bd2674141ec5d754b3168e66f51287f613e8ebd69947a9f76c1f17
                  • Opcode Fuzzy Hash: c4543ba48cad8328d3a84b1ebaeedb1f465cbd9892f5d05173ac5f92f47281ff
                  • Instruction Fuzzy Hash: D8C08039C5494D5AAF507F516C411FEB724FF05304F404557F91DD3041DB3A722466C2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 174adcac23b641431a00174ab307a47d1dea36bc7ac59b76b51f3fc4749f180d
                  • Instruction ID: 064ae6e7cbcfc553a631c75074f4ece2c23db4a20d05ed3722a71e511110e616
                  • Opcode Fuzzy Hash: 174adcac23b641431a00174ab307a47d1dea36bc7ac59b76b51f3fc4749f180d
                  • Instruction Fuzzy Hash: 3BD0121488F7C14FD70763710CA54507EF09D4729078F82DFCA88DA593D68E099D9356

                  Non-executed Functions

                  Memory Dump Source
                  • Source File: 00000000.00000002.4765770132.00007FFD34270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34270000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd34270000_uPt3XcHAIA.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8d416ca68ab1ce6af6698fb245265f44be1f6c50b91ca9f9bf2de7b89a3ed4c5
                  • Instruction ID: 945465f653836820f9df02007bf05e6f123c1b8a263ec47ce477719c7e54e545
                  • Opcode Fuzzy Hash: 8d416ca68ab1ce6af6698fb245265f44be1f6c50b91ca9f9bf2de7b89a3ed4c5
                  • Instruction Fuzzy Hash: 4871F62064F3C50FE34793345CA96B93F919F83329F1881F6E188DA0A3CE9E1846C302