Create Interactive Tour

Windows Analysis Report
011K3SJvSf.exe

Overview

General Information

Sample name:011K3SJvSf.exe
renamed because original name is a hash value
Original sample name:38e6b2d0fcbee8e541b8524b78642bfa38b12829ba352f3f66f490060e224da6.exe
Analysis ID:1600637
MD5:f5820286359139ca1e53025e1d7dad6d
SHA1:56f446f0eb8726e6598e854d06d91363b3bc7074
SHA256:38e6b2d0fcbee8e541b8524b78642bfa38b12829ba352f3f66f490060e224da6
Tags:176-113-115-225exeuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 011K3SJvSf.exe (PID: 5788 cmdline: "C:\Users\user\Desktop\011K3SJvSf.exe" MD5: F5820286359139CA1E53025E1D7DAD6D)
  • cleanup
{
  "C2 url": [
    "176.113.115.225"
  ],
  "Port": 4444,
  "Aes key": "P0WER",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
011K3SJvSf.exeJoeSecurity_XWormYara detected XWormJoe Security
    011K3SJvSf.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x9a92:$str01: $VB$Local_Port
    • 0x27498:$str01: $VB$Local_Port
    • 0x9afe:$str02: $VB$Local_Host
    • 0x27504:$str02: $VB$Local_Host
    • 0x83ee:$str03: get_Jpeg
    • 0x25df4:$str03: get_Jpeg
    • 0x8990:$str04: get_ServicePack
    • 0x26396:$str04: get_ServicePack
    • 0xa7be:$str05: Select * from AntivirusProduct
    • 0x281c4:$str05: Select * from AntivirusProduct
    • 0xaefc:$str06: PCRestart
    • 0x28902:$str06: PCRestart
    • 0xaf10:$str07: shutdown.exe /f /r /t 0
    • 0x28916:$str07: shutdown.exe /f /r /t 0
    • 0xafc2:$str08: StopReport
    • 0x289c8:$str08: StopReport
    • 0xaf98:$str09: StopDDos
    • 0x2899e:$str09: StopDDos
    • 0xb08e:$str10: sendPlugin
    • 0x28a94:$str10: sendPlugin
    • 0xb10e:$str11: OfflineKeylogger Not Enabled
    011K3SJvSf.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xbb38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x2953e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xbbd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x295db:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xbcea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x296f0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xb7aa:$cnc4: POST / HTTP/1.1
    • 0x291b0:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb938:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb9d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xbaea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb5aa:$cnc4: POST / HTTP/1.1
      00000000.00000002.3917779870.00000000029B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 011K3SJvSf.exe PID: 5788JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.011K3SJvSf.exe.700000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.011K3SJvSf.exe.700000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x9a92:$str01: $VB$Local_Port
            • 0x9afe:$str02: $VB$Local_Host
            • 0x83ee:$str03: get_Jpeg
            • 0x8990:$str04: get_ServicePack
            • 0xa7be:$str05: Select * from AntivirusProduct
            • 0xaefc:$str06: PCRestart
            • 0xaf10:$str07: shutdown.exe /f /r /t 0
            • 0xafc2:$str08: StopReport
            • 0xaf98:$str09: StopDDos
            • 0xb08e:$str10: sendPlugin
            • 0xb10e:$str11: OfflineKeylogger Not Enabled
            • 0xb266:$str12: -ExecutionPolicy Bypass -File "
            • 0xb88f:$str13: Content-length: 5235
            0.0.011K3SJvSf.exe.700000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xbb38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xbbd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xbcea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xb7aa:$cnc4: POST / HTTP/1.1

            System Summary

            barindex
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 176.113.115.225, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\Desktop\011K3SJvSf.exe, Initiated: true, ProcessId: 5788, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:55.256975+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:47:57.041532+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:09.684030+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:24.047920+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:27.151760+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:27.163169+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:38.437525+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:42.537388+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:42.659608+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:46.393046+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:48.189783+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:48.313102+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:48.620472+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:49.710659+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:54.203568+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:54.347570+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:54.470733+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:54.589697+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:54.710488+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:55.316022+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:48:56.950882+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:00.233744+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:00.921658+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:10.362278+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:10.485212+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:10.912548+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:10.913276+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:20.812185+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:26.735069+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:26.957676+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:41.232616+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:42.281682+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:47.922903+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:48.044816+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:48.180448+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:48.407560+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:50.046973+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:52.359588+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:56.962235+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:58.547568+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:58.669664+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:58.791525+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:49:59.033620+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:05.578389+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:08.062284+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:19.351544+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:20.300113+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:25.703495+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:26.951855+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:30.765893+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:30.906481+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:35.944083+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:40.578290+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:42.142328+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:46.062460+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:47.208149+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:53.938180+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:55.392607+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:56.651115+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:56.675575+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:56.820494+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:56.958044+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:50:59.640750+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:07.383327+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:21.325490+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:26.972382+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:27.766245+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:31.328469+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:33.703815+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:34.640963+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:36.516428+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:50.908579+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:51:56.979176+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            2025-01-27T19:52:05.297096+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:55.355174+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:09.692478+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:24.050924+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:38.439571+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:42.557724+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:42.665850+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:42.788818+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:42.793739+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:46.395054+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:48.192045+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:48.315853+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:48.637897+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:49.713157+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:54.206356+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:54.349884+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:54.473264+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:54.593766+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:54.717794+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:48:55.318701+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:00.238103+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:00.924615+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:10.365942+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:10.488214+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:10.914820+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:20.815129+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:26.737303+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:41.248154+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:42.284559+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:47.925201+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:48.047951+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:48.182756+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:48.288864+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:48.409950+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:50.049463+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:52.361686+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:58.550006+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:58.674863+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:58.794754+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:58.917752+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:58.922812+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:49:59.036222+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:05.580369+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:08.064584+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:19.353291+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:20.301772+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:25.705493+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:30.772532+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:30.912557+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:31.029710+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:35.974571+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:40.580691+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:42.144845+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:46.065203+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:47.215571+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:53.953652+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:55.394786+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:56.653609+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:56.677828+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:56.822011+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:50:59.644216+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:07.385830+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:21.328989+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:27.769003+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:31.330386+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:33.705804+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:34.651077+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:36.517611+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:51:50.913178+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            2025-01-27T19:52:05.298028+010028529231Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:57.041532+010028588011Malware Command and Control Activity Detected176.113.115.2254444192.168.2.749705TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:49:10.144774+010028587991Malware Command and Control Activity Detected192.168.2.749705176.113.115.2254444TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 011K3SJvSf.exeAvira: detected
            Source: 011K3SJvSf.exeMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.225"], "Port": 4444, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Source: 011K3SJvSf.exeVirustotal: Detection: 69%Perma Link
            Source: 011K3SJvSf.exeReversingLabs: Detection: 84%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: 011K3SJvSf.exeJoe Sandbox ML: detected
            Source: 011K3SJvSf.exeString decryptor: 176.113.115.225
            Source: 011K3SJvSf.exeString decryptor: 4444
            Source: 011K3SJvSf.exeString decryptor: P0WER
            Source: 011K3SJvSf.exeString decryptor: <Xwormmm>
            Source: 011K3SJvSf.exeString decryptor: XWorm
            Source: 011K3SJvSf.exeString decryptor: USB.exe
            Source: 011K3SJvSf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 011K3SJvSf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49705 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.225:4444 -> 192.168.2.7:49705
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49705 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.225:4444 -> 192.168.2.7:49705
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49705 -> 176.113.115.225:4444
            Source: Malware configuration extractorURLs: 176.113.115.225
            Source: global trafficTCP traffic: 192.168.2.7:49705 -> 176.113.115.225:4444
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: 011K3SJvSf.exe, 00000000.00000002.3917779870.00000000029B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Source: 011K3SJvSf.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 011K3SJvSf.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.011K3SJvSf.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.011K3SJvSf.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\011K3SJvSf.exeCode function: 0_2_00007FFAAC1B64C60_2_00007FFAAC1B64C6
            Source: C:\Users\user\Desktop\011K3SJvSf.exeCode function: 0_2_00007FFAAC1B72720_2_00007FFAAC1B7272
            Source: C:\Users\user\Desktop\011K3SJvSf.exeCode function: 0_2_00007FFAAC1B5CC50_2_00007FFAAC1B5CC5
            Source: C:\Users\user\Desktop\011K3SJvSf.exeCode function: 0_2_00007FFAAC1B41790_2_00007FFAAC1B4179
            Source: C:\Users\user\Desktop\011K3SJvSf.exeCode function: 0_2_00007FFAAC1B28200_2_00007FFAAC1B2820
            Source: C:\Users\user\Desktop\011K3SJvSf.exeCode function: 0_2_00007FFAAC1B4C9D0_2_00007FFAAC1B4C9D
            Source: 011K3SJvSf.exe, 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 011K3SJvSf.exe
            Source: 011K3SJvSf.exeBinary or memory string: OriginalFilenameXClient.exe4 vs 011K3SJvSf.exe
            Source: 011K3SJvSf.exeBinary or memory string: OriginalFilenameGOO.dll( vs 011K3SJvSf.exe
            Source: 011K3SJvSf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 011K3SJvSf.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 011K3SJvSf.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.011K3SJvSf.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.011K3SJvSf.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 011K3SJvSf.exe, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: 011K3SJvSf.exe, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: 011K3SJvSf.exe, ocdWY4uta2L6F.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\011K3SJvSf.exeMutant created: NULL
            Source: C:\Users\user\Desktop\011K3SJvSf.exeMutant created: \Sessions\1\BaseNamedObjects\pWbxsRP5Z5tLW4V1
            Source: 011K3SJvSf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 011K3SJvSf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\011K3SJvSf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 011K3SJvSf.exeVirustotal: Detection: 69%
            Source: 011K3SJvSf.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 011K3SJvSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 011K3SJvSf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: 011K3SJvSf.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH._7ou4q3URxUtrcBhAksV8MILst8vvfhGZzz84cTowdPeJNJqpazaC0zcplhKSCF9TGZGal9qwtbeNZDXuM4ysc7,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.B5vObioagoHeuBETToqXO7c4SBvzgegJ2rVxzrn97Z01VyClBh4RfVnBpn3uLZmwBfvDkA7hA0zjL4bYk2F9Lw,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.MGHflsToeaIGYe2QlJGLifoJfKHFMzr3e7F5gXl32IYYefKteaV3QAP8fQuyq1nSYPUyb4dRKPWQTfFJrBKDJn,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.JavtZpWbEUzyaboWUx5EzFRMnopkNEbRbaMCyBm6SCxx4PxjVvD0SD2eCoxY6CvuIPhM1bDKYzUwSKBPVNSu3Q,_75nEg0zZR0dHe.a5l48OPDiZ3ML()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 011K3SJvSf.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{N6aiy2oVGGWRy[2],_75nEg0zZR0dHe.UcVmBdslgVk5f(Convert.FromBase64String(N6aiy2oVGGWRy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 011K3SJvSf.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx System.AppDomain.Load(byte[])
            Source: 011K3SJvSf.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf System.AppDomain.Load(byte[])
            Source: 011K3SJvSf.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf
            Source: 011K3SJvSf.exe, b4uun3ISTXKnf.csHigh entropy of concatenated method names: 'YCjMUCUaS1W51', 'nBYZp8mEKNdCM', 'A0fHqAYUq6yHF', '_1mVdS59RD9WRXjpk4dgLoY55DRM5wYkWRMGMMurlj3LIOgyP', 'fHMQFoqEOaRpZM5LGroxVJm37fqi9jUrbA6e0tMx0g2V8mYW', 'LoB5UwuYY5RTRpo7KYVsQo0M18w3Nqjvx6hFEJtWrmEhpNS8', '_8xzyi24VkTi5m5Gsy7XUUolTzE6ThsmXs6bUc1FmIJiIWf1C', '_0fb1PXYa6kb1Rh7XSfKSHk6h0u9Dpwhkn0aPYGvFcLJ9j5gx', 'muNz9fBp8MEGjEaAaR4gHkqhVUn1c7430siPvrb9kzSiFIcm', 'br3It0Vta53HcAKawwe4bhthaz6XVj4dQqIhe3SzkIF6mbdR'
            Source: 011K3SJvSf.exe, Okx2cEcCTYefVQm6EymR3DAHXaTSljZM45uWUuKfmTQXlObkYx2hI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qhoRWWDGbIaBYf1xlc2ObtVWJaKjgV1', 'DymWxUA0Gzkq60kzVxmAsWvR6nPAUbA', 'VRGwbt4QosOEYZDJMW6oiZAv0pO17cG', 'yUA6AUHSQfBMMR68GOUobZVEBz10NVn'
            Source: 011K3SJvSf.exe, 6jI32o4ws06OX.csHigh entropy of concatenated method names: 'RaiFrYHEhVkGS', 'hx6hnTTFdwvcvMmU5tfd16J2MYSLJ0eJ6OI49uozqUzfAV2hp9pL3WXmxeqoyAR', 'cNGApf86khPqX7UFOcOQ1vxse4iSyACnzfVfGwGsr2VBKXVV9zlAAxqefX2ESAr', 'A59evJghrlNxzbqc6Ps2fGGXCHRposxsPG3o30QgIEcDchw2DXYQuOTjARh5Abl', '_6zBH6zRaU2H1LVlnglmQDC83mL96YyuygQvcn37k0CYYQ5ofHgMOFoWn6791yKg'
            Source: 011K3SJvSf.exe, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csHigh entropy of concatenated method names: 'PCMd3nft0XRAEjjfTvQ9XSikDVDfw1SFeuJjcMNu23L9ut7hUam2JtbvJNG9Q1LtII1NXrvJ1pXXQSrlwu1LGA', 'Jd7dipyiHVKFnnn5TtLlCT4QqQcZ1LcpveZHXmyGRURwhmIt91DiUsUw2JHJYqACligP1uXjRP19gLBuHeVNXP', 'lqsu07OmfboE51hkKcFQZfOeohQgdsXJpwH19tPJIxbnloG0EQElOpFNlXw1YWFWHdBtCAUCGx7RzUPrp0vj6O', 'Pl2rLE4NFtvwpuxh9sQICrTA02puQ3l0wmGobDtKEtDQYp9NtFnsr0yJ4EXv69vEnPqN47QpRHNc0MkAuxuG3X', 'KdVFbPcZtmc5qWDmWAxenzBQZsFj2y1IkVJrkWTaZqy4RN5x7X4UJCZPqGfR1nIGQKiSLvDck0jrhrNMj4Zhvt', 'sWK8vuJRm8M7VFNfVet38IXxMDOBVpNoEvoaJOy2fXnYDixgCoJOZUvyQExFEXEIJedbrENkdjo3JUdsqHJdHg', '_78E00qSUqiwXMsuRg9AR5r0Et06xyxHKa0yYgelPQWb9XWLYWB4QHANvr24N0UIz7XMOPBk4xHjZRn2irwSEm6', 'Kn2ickZPGCnkIfx2SIh0FyIsImdy0JdL95XdZq2zkx2ARnyABIA01bCELcv0k43JTab4APMbIIb4YBAdNd6fZG', 'a0uJIUhDNBBBOsnT1speyYAmyNBYhRuHZ6DqkqZKWSSvHYpDrB0WRRXcgd7rVvs4H7iax7ntPSkFgBGt4PpWRr', '_72TWMwDUPUengDslxZ7ashZ9blkvIyPqCf8HrPSykCuRkJtI24TRm4hbjqsd3YPrTmShlG573OHlL5nTRSqa1t'
            Source: 011K3SJvSf.exe, 75nEg0zZR0dHe.csHigh entropy of concatenated method names: '_5deq5ZMjXSyOV', '_1ylcOTS7IequM', 'Jec3M7x8OHYHU', 'XFGNrMmv4br0v', '_1UPCebSNb17oS', 'ZWHoZcMAqG9NM', 'b2F5a7qBXz5Vo', 'yxkqiLSPeeleq', 'xbsVGOJehhaH3', '_2QsbjhSfy2vJi'
            Source: 011K3SJvSf.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.csHigh entropy of concatenated method names: '_1nUdV8zCgrBa3pV3QCLM48pI7PGiNwJLvkgLDquedBS0T55d2IBdIKrGglAUEGkd3y4QntF', 'ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx', 'Fqv6NSSymAkmG1Tv6yUOrZ1GG2fbAU7RdkKa1NI9XlVZ6MhApGbUjYA1ZrP9nbK4WaYQWO6', 'NN4ROQ4RugYSKZgXWTebgYaOkvNaAjJLJwZ4WGeS1tFDMHcXwQWLIXcAcxQT9SrJVlS5idE', 'A8u0DQJPq3SvcF1uAdysGKN9Evjx3OQ7rrDcxaJUNmcNtWxHKL5npGDS8Jvg48bYqJTvHCs', 'hm6KXVdf3MWpMoAIsalbhUDSQJwI8Ei27WKvbTt5UVmAEOSCzCom2ybLOPDTY6NKIgssTG5', 'ikPkXINAQMgiz2gNKsResrVJD5I3SwrfAxRQfhldfRVkkXrgfnoxbjRw0b4jEd2hAw5nOyj', 'UtsfbvVmPY2OOjmvLR2JLhy36YRk6vk96eYY8K6gzyUGtVUiyqWf8ry33MA7oYVqMX2thcx', 'W3YjdpEgWQybF', 'Fh9HwxHIZFa4I'
            Source: 011K3SJvSf.exe, ocdWY4uta2L6F.csHigh entropy of concatenated method names: '_6ZbrahaikQCcd', 'zs2tTgBzWM2mD3yMJQAVREjQu4hieQ4zJOhnrEN0B7Iai5Bj5S1qmooPZamjemY', 'qldTlCiD7qExb6p4FxM2p1D1P4wVYjKrUvg5ITB3mJe01cpffWrLtj0juPPuHby', 'Ee2Ud3UssTJpmjLUQoJ1fHkbl0dggJMamVcMoQhRFOMYQ9wxb7t3njBLekP1Swq', 'pDUvkqaLWIjKFi4nijh2Jb8W1I4Otb9JmwPdWMYUbQEZzafaxgSof1cPOmsujXC'
            Source: 011K3SJvSf.exe, zdtkXphm1qUGTOgxhhi6mhj0ZkS1NHj4NF8FjvfZJNSQEp8xxlOX8RlyrbWrOff2QnlKL3srkSeTIIF5qlGNY2.csHigh entropy of concatenated method names: 'yi6PZbY6haSeIP2qzmu8X8djxweLUaPHTLfzJhTrpBjyISPgxoNbD967E6KaCuklnmMJqhQEKm5AGpsuhm5pSN', 'HVGwB1qYNdzDwmFsbSmVov1zNXLwLT8QXhkHsqMK44ZYNBPnRY6H1fTBuMr2Fx1Kxph0CctRvpO1SwTuptCjNO', 'wSQ1TOl0Qw1PGzDkvkXh7wUppmfQM5treEokthCDrGK39TWWXnydBfcdbFG6XjbJC6y3aqqxtbCO6ApGxw2tL6', 'N13xUgTiqRGgZcZSLgqtUAuBlIiSpr5', 'f1eW6VvNCHDPH0jcJOhj3UvX2FcBwMa', 'y59PbByil3pLYv7mufMbV2KNL8dC9TO', 'jBQxblwueNcd01bwF0d8OHwlr1FFL32', 'DK7dv84vaZIzUWLkljXYRsgtl2JmFc6', 'WaxLR0sqXoIPzoMu91Boe8hzh7EaW0z', 'cZKh39JIUQn9kJXDoNgi5yfVlokWVJj'
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\011K3SJvSf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\011K3SJvSf.exeMemory allocated: E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeMemory allocated: 1A9B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeWindow / User API: threadDelayed 7145Jump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeWindow / User API: threadDelayed 2698Jump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exe TID: 6224Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exe TID: 6924Thread sleep count: 7145 > 30Jump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exe TID: 6924Thread sleep count: 2698 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\011K3SJvSf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 011K3SJvSf.exe, 00000000.00000002.3917066873.0000000000C39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

            Anti Debugging

            barindex
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\011K3SJvSf.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\011K3SJvSf.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeQueries volume information: C:\Users\user\Desktop\011K3SJvSf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\011K3SJvSf.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 011K3SJvSf.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.011K3SJvSf.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3917779870.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 011K3SJvSf.exe PID: 5788, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 011K3SJvSf.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.011K3SJvSf.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3917779870.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 011K3SJvSf.exe PID: 5788, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            OS Credential Dumping211
            Security Software Discovery
            Remote Services11
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion
            LSASS Memory232
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account Manager1
            Application Window Discovery
            SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing
            NTDS13
            System Information Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1600637 Sample: 011K3SJvSf.exe Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 10 other signatures 2->17 5 011K3SJvSf.exe 2 2->5         started        process3 dnsIp4 9 176.113.115.225, 4444, 49705 SELECTELRU Russian Federation 5->9 19 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 5->19 21 Found potential dummy code loops (likely to delay analysis) 5->21 signatures5

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            011K3SJvSf.exe69%VirustotalBrowse
            011K3SJvSf.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            011K3SJvSf.exe100%AviraTR/Dropper.Gen
            011K3SJvSf.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            176.113.115.2250%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            176.113.115.225true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name011K3SJvSf.exe, 00000000.00000002.3917779870.00000000029B1000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              176.113.115.225
              unknownRussian Federation
              49505SELECTELRUtrue
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1600637
              Start date and time:2025-01-27 19:46:11 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 17s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Sample name:011K3SJvSf.exe
              renamed because original name is a hash value
              Original Sample Name:38e6b2d0fcbee8e541b8524b78642bfa38b12829ba352f3f66f490060e224da6.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@0/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 47
              • Number of non-executed functions: 4
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target 011K3SJvSf.exe, PID 5788 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              TimeTypeDescription
              13:47:39API Interceptor12654695x Sleep call for process: 011K3SJvSf.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              176.113.115.225qlGJTKUY7O.exeGet hashmaliciousXWormBrowse
                176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SELECTELRUqlGJTKUY7O.exeGet hashmaliciousXWormBrowse
                  • 176.113.115.225
                  176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                  • 176.113.115.225
                  p199AjsEFs.exeGet hashmaliciousAmadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, StealcBrowse
                  • 176.113.115.163
                  VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                  • 176.113.115.96
                  grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  random.exeGet hashmaliciousAmadey, Socks5SystemzBrowse
                  • 176.113.115.96
                  random.exeGet hashmaliciousSocks5SystemzBrowse
                  • 176.113.115.96
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):6.642317309308554
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:011K3SJvSf.exe
                  File size:242'706 bytes
                  MD5:f5820286359139ca1e53025e1d7dad6d
                  SHA1:56f446f0eb8726e6598e854d06d91363b3bc7074
                  SHA256:38e6b2d0fcbee8e541b8524b78642bfa38b12829ba352f3f66f490060e224da6
                  SHA512:16e96660753f6568dfa9ff6b6d89d97cc01ad72d50d626418aaea90b6eb11bf549a8b5baf67ed47bd3b8a29a186b7d7d149be87098e7ea186891802409e37654
                  SSDEEP:3072:dKQ838htC1xXkbE7sO9HqtlrxNeLR1VfBKQ838htC1xXkbE7sO9HqtlrxNeLR1Va:dSs8UbptxnqR1TSs8UbptxnqR1Q
                  TLSH:AB34E79C736072DFC8ABD5719EA82C64EB70757B830B4617A457029EAE0D98BCF141F2
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.g............................n.... ........@.. .......................@............@................................
                  Icon Hash:00928e8e8686b000
                  Entrypoint:0x40f26e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x679270D9 [Thu Jan 23 16:39:53 2025 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf2200x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x4ce.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xd2740xd400b7405d31711236f0e57e5ae179990193False0.6131522700471698data6.053995047071589IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x100000x4ce0x600b6854ead75e0aea5a0ec3175723e462fFalse0.3736979166666667data3.7184457289766475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x120000xc0x2006337b9e9d5046d21cbc9e9adf359daaaFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x100a00x244data0.4724137931034483
                  RT_MANIFEST0x102e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                  DLLImport
                  mscoree.dll_CorExeMain

                  Download Network PCAP: filteredfull

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-27T19:47:55.038929+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:47:55.256975+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:47:55.355174+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:47:57.041532+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:47:57.041532+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:09.684030+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:09.692478+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:24.047920+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:24.050924+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:27.151760+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:27.163169+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:38.437525+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:38.439571+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:42.537388+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:42.557724+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:42.659608+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:42.665850+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:42.788818+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:42.793739+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:46.393046+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:46.395054+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:48.189783+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:48.192045+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:48.313102+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:48.315853+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:48.620472+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:48.637897+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:49.710659+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:49.713157+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:54.203568+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:54.206356+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:54.347570+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:54.349884+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:54.470733+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:54.473264+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:54.589697+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:54.593766+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:54.710488+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:54.717794+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:55.316022+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:48:55.318701+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:48:56.950882+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:00.233744+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:00.238103+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:00.921658+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:00.924615+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:10.144774+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:10.362278+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:10.365942+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:10.485212+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:10.488214+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:10.912548+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:10.913276+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:10.914820+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:20.812185+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:20.815129+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:26.735069+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:26.737303+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:26.957676+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:41.232616+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:41.248154+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:42.281682+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:42.284559+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:47.922903+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:47.925201+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:48.044816+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:48.047951+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:48.180448+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:48.182756+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:48.288864+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:48.407560+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:48.409950+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:50.046973+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:50.049463+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:52.359588+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:52.361686+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:56.962235+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:58.547568+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:58.550006+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:58.669664+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:58.674863+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:58.791525+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:58.794754+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:58.917752+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:58.922812+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:49:59.033620+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:49:59.036222+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:05.578389+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:05.580369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:08.062284+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:08.064584+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:19.351544+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:19.353291+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:20.300113+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:20.301772+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:25.703495+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:25.705493+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:26.951855+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:30.765893+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:30.772532+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:30.906481+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:30.912557+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:31.029710+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:35.944083+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:35.974571+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:40.578290+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:40.580691+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:42.142328+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:42.144845+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:46.062460+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:46.065203+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:47.208149+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:47.215571+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:53.938180+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:53.953652+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:55.392607+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:55.394786+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:56.651115+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:56.653609+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:56.675575+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:56.677828+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:56.820494+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:56.822011+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:50:56.958044+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:59.640750+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:50:59.644216+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:07.383327+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:07.385830+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:21.325490+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:21.328989+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:26.972382+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:27.766245+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:27.769003+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:31.328469+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:31.330386+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:33.703815+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:33.705804+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:34.640963+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:34.651077+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:36.516428+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:36.517611+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:50.908579+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:51:50.913178+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  2025-01-27T19:51:56.979176+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:52:05.297096+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.749705TCP
                  2025-01-27T19:52:05.298028+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749705176.113.115.2254444TCP
                  TimestampSource PortDest PortSource IPDest IP
                  Jan 27, 2025 19:47:40.294661999 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:47:40.299633026 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:47:40.299715042 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:47:40.645733118 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:47:40.650625944 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:47:55.038928986 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:47:55.044120073 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:47:55.256974936 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:47:55.297060013 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:47:55.355174065 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:47:55.360214949 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:47:57.041532040 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:47:57.093957901 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:09.442305088 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:09.450618982 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:09.684030056 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:09.692477942 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:09.697467089 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:23.828879118 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:23.834455967 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:24.047919989 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:24.050924063 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:24.056987047 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:27.151760101 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:27.163168907 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:27.163290977 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:38.219579935 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:38.224591970 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:38.437525034 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:38.439570904 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:38.444554090 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.297833920 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.306288004 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.344690084 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.354269028 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.360208035 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.368701935 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.407124043 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.415069103 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.537388086 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.557723999 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.563846111 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.659607887 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.665849924 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.670712948 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.780574083 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.788817883 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.793633938 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:42.793739080 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:42.798592091 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:46.157212973 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:46.162095070 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:46.393045902 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:46.395054102 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:46.399925947 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:47.969865084 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:47.977272034 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:47.987270117 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:47.993870020 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.189783096 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.192044973 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:48.196826935 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.282277107 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:48.287098885 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.313102007 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.315853119 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:48.365403891 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.620471954 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:48.637897015 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:48.643018007 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:49.492336988 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:49.498526096 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:49.710659027 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:49.713156939 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:49.721005917 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:53.985280991 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:53.990169048 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.079298973 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.084214926 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.094773054 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.099603891 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.157046080 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.161837101 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.203567982 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.206356049 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.211121082 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.344995022 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.347569942 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.349824905 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.349884033 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.354758978 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.470732927 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.473263979 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.478319883 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.589696884 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.593765974 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.598615885 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.710488081 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:54.717793941 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:54.722575903 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:55.094505072 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:55.101609945 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:55.316021919 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:55.318701029 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:48:55.326143980 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:56.950881958 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:48:57.044523954 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:00.016359091 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:00.021241903 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:00.233743906 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:00.238102913 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:00.242851019 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:00.703960896 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:00.708838940 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:00.921658039 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:00.924614906 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:00.929486036 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.144773960 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.149605036 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.251451015 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.256325006 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.360150099 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.362277985 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.365884066 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.365942001 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.370810986 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.485212088 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.488214016 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.493021965 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.912548065 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.913275957 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:10.913393021 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.914819956 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:10.919560909 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:20.594635963 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:20.599518061 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:20.812185049 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:20.815129042 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:20.819907904 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:26.516777039 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:26.521656036 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:26.735069036 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:26.737303019 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:26.742707014 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:26.957675934 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:27.031831026 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:40.907356024 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:41.017513037 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:41.232615948 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:41.248153925 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:41.424252987 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:42.063498974 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:42.068392038 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:42.281682014 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:42.284559011 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:42.289810896 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.704236984 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.710166931 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.736747026 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.743320942 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.783332109 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.788181067 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.829885006 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.834743977 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.892054081 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.897964954 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.907457113 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.912425995 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.922903061 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.925200939 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.975035906 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:47.975102901 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:47.979931116 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.044816017 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.047950983 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:48.052767992 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.180448055 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.182755947 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:48.187619925 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.286674976 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.288863897 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:48.293759108 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.293857098 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:48.298657894 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.407560110 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:48.409950018 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:48.414772034 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:49.829468012 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:49.834374905 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:50.046972990 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:50.049463034 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:50.054346085 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:52.141762972 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:52.146765947 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:52.359587908 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:52.361685991 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:52.366790056 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:56.962234974 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:57.141468048 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.329307079 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.334446907 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.376205921 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.381396055 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.454386950 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.459634066 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.469923019 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.474890947 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.501246929 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.506258011 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.547568083 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.550005913 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.599256992 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.599324942 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.604249954 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.669663906 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.674863100 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.680126905 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.791524887 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.794754028 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.800110102 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.912369967 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.917752028 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.922615051 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:58.922811985 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:58.927634001 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:59.033620119 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:49:59.036221981 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:49:59.041080952 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:05.360652924 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:05.366024017 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:05.578388929 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:05.580368996 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:05.585448980 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:07.844921112 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:07.849824905 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:08.062283993 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:08.064584017 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:08.069385052 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:19.126562119 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:19.132673979 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:19.351543903 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:19.353291035 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:19.358182907 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:20.079251051 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:20.085011959 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:20.300112963 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:20.301772118 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:20.308830976 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:25.485843897 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:25.491194010 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:25.703495026 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:25.705492973 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:25.710213900 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:26.951854944 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:27.172718048 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.548043013 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.552849054 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.563591957 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.568430901 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.579207897 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.584137917 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.610522032 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.616019011 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.626301050 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.631064892 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.765892982 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.772531986 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.780991077 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.906481028 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:30.912556887 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:30.917987108 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:31.028034925 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:31.029710054 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:31.034568071 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:31.034987926 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:31.039783955 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:35.720446110 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:35.725272894 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:35.944082975 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:35.974570990 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:35.979532957 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:40.360991955 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:40.365926027 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:40.578289986 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:40.580691099 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:40.585539103 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:41.924737930 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:41.929574966 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:42.142328024 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:42.144845009 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:42.149729013 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:45.845141888 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:45.850053072 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:46.062459946 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:46.065202951 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:46.070096970 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:46.988559008 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:46.993743896 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:47.208148956 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:47.215570927 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:47.222183943 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:53.720573902 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:53.725553989 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:53.938179970 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:53.953651905 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:53.959662914 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:55.173151970 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:55.179352045 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:55.392606974 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:55.394785881 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:55.400234938 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.283195972 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:56.288085938 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.298474073 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:56.303365946 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.360781908 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:56.366106033 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.651114941 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.653609037 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:56.660541058 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.675575018 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.677828074 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:56.723766088 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.820493937 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.822010994 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:56.826858997 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:56.958044052 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:57.110652924 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:59.423185110 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:59.428034067 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:59.640749931 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:50:59.644216061 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:50:59.649028063 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:06.689038992 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:06.693850040 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:07.383327007 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:07.385829926 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:07.390989065 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:21.107686996 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:21.112706900 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:21.325489998 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:21.328989029 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:21.333796024 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:26.972382069 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:27.110483885 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:27.548866034 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:27.553719044 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:27.766244888 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:27.769002914 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:27.773829937 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:31.110764027 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:31.115633965 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:31.328469038 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:31.330385923 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:31.335365057 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:33.485874891 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:33.490771055 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:33.703814983 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:33.705804110 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:33.710650921 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:34.423523903 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:34.428420067 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:34.640963078 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:34.651077032 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:34.659317017 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:36.298686981 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:36.305969954 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:36.516427994 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:36.517611027 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:36.522422075 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:50.690004110 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:50.698715925 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:50.908579111 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:50.913177967 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:51:50.918044090 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:56.979176044 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:51:57.032443047 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:52:05.079662085 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:52:05.084428072 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:52:05.297096014 CET444449705176.113.115.225192.168.2.7
                  Jan 27, 2025 19:52:05.298027992 CET497054444192.168.2.7176.113.115.225
                  Jan 27, 2025 19:52:05.303234100 CET444449705176.113.115.225192.168.2.7
                  050100150200s020406080100

                  Click to jump to process

                  050100150200s0.00102030MB

                  Click to jump to process

                  • File
                  • Registry
                  • Network

                  Click to dive into process behavior distribution

                  Target ID:0
                  Start time:13:47:30
                  Start date:27/01/2025
                  Path:C:\Users\user\Desktop\011K3SJvSf.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\011K3SJvSf.exe"
                  Imagebase:0x700000
                  File size:242'706 bytes
                  MD5 hash:F5820286359139CA1E53025E1D7DAD6D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1473205923.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3917779870.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Executed Functions

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: d5510d0cfdbfe00504e90ed0651425d2006bd32f8980e1e09342854b3a5ccb78
                  • Instruction ID: e753e5126578fd1de2592e0479087dee2703544404f3b94aeaabd585ea1b1f33
                  • Opcode Fuzzy Hash: d5510d0cfdbfe00504e90ed0651425d2006bd32f8980e1e09342854b3a5ccb78
                  • Instruction Fuzzy Hash: E8626270B1D51A8BFB95EB78C495A7973D2EF9A300F508578D40ED3293DE28E8468B81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a63171edb4ee6579d36e5978dd08b3761a93fd1a85e4df6e7cb7b134f7ee23cb
                  • Instruction ID: 57b6699fc708f2b4434c2dd5089dd1d151a77a67f5a900b287f3f089715b3e07
                  • Opcode Fuzzy Hash: a63171edb4ee6579d36e5978dd08b3761a93fd1a85e4df6e7cb7b134f7ee23cb
                  • Instruction Fuzzy Hash: 33F1C830609A4E8FEBA9EF28C8557E977D1FF65310F44826EE84DC7292CB34D9458B81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33d8ac27874a65e28c9b95a131ceef30641effab753b733fb26636654714da6e
                  • Instruction ID: fd642a27654c699958b416dab97ce874d6def6acc5ec7393c08d764eca6303a8
                  • Opcode Fuzzy Hash: 33d8ac27874a65e28c9b95a131ceef30641effab753b733fb26636654714da6e
                  • Instruction Fuzzy Hash: 6EE1C530A09A4ECFEBA9DF28C8557E97BD1EF55311F04826AE84DC7292CE74D8448BD1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 6B$r6B$r6B$r6B
                  • API String ID: 0-3329012255
                  • Opcode ID: 5366c3b407da757918684d8fb4a0be853ac520f3d0e144cc97815b0038cc6bcc
                  • Instruction ID: 70c8ca46b68213ae7b94407562b85e9270e8d13468c2ef0bbcbbf473a325d9f6
                  • Opcode Fuzzy Hash: 5366c3b407da757918684d8fb4a0be853ac520f3d0e144cc97815b0038cc6bcc
                  • Instruction Fuzzy Hash: 09D1E871B1CA198FEB99EB2C9494A6477E1FF59350F5085BDE04EC7292DE24EC428B80
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: HBL$/B$/B
                  • API String ID: 0-189251506
                  • Opcode ID: f485a39e3fca1e0ba8c60a0d8c26a7b4969460f598b6568060885b7967d68fb5
                  • Instruction ID: 2f77419d6dedb826efddee6bac50d9034722546f62853c589615019809cefb4a
                  • Opcode Fuzzy Hash: f485a39e3fca1e0ba8c60a0d8c26a7b4969460f598b6568060885b7967d68fb5
                  • Instruction Fuzzy Hash: 05817C30A0D68A8FEB47E77488555A97FA0EF57320F1542BEE05DC31D3DE28A846CB91
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: HBL$r6B
                  • API String ID: 0-576574262
                  • Opcode ID: 8e6ed5b82a42102c7ae3c6a79d292b6d1031fdbc48c44cfca8cc170c77346917
                  • Instruction ID: 951fbcbcead83f15c40d19540dde6043855160bb792dd25ba363750d8845db70
                  • Opcode Fuzzy Hash: 8e6ed5b82a42102c7ae3c6a79d292b6d1031fdbc48c44cfca8cc170c77346917
                  • Instruction Fuzzy Hash: A9B14BA2B0DA4A4FF759977C88596B9BBD1EF96350F18817ED04EC3293DD28980987C0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0DL$0DL
                  • API String ID: 0-1470282362
                  • Opcode ID: acf4d20eabf8e31ffbe4a88754a901faf68886ed8602b12e16f7ea494079437d
                  • Instruction ID: ca535db664afb52df8d2973080f53397b9f44f2de9bceee7ea0733b8f26428b2
                  • Opcode Fuzzy Hash: acf4d20eabf8e31ffbe4a88754a901faf68886ed8602b12e16f7ea494079437d
                  • Instruction Fuzzy Hash: 1C51BDA1B19A4A4FEB99E77894695BD7BD1FF8931074085BDE00FC33D3DD2899058780
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 6B
                  • API String ID: 0-3582735225
                  • Opcode ID: 1f11f6a110957fb1dda65eae8a61212eda97d12381ccaeef3e5a545710201918
                  • Instruction ID: 4b8ef8fddf087e27fa23071ae683e8d31d823f1906e6ee1cf57c32ef8e231a50
                  • Opcode Fuzzy Hash: 1f11f6a110957fb1dda65eae8a61212eda97d12381ccaeef3e5a545710201918
                  • Instruction Fuzzy Hash: 2FA196617189158BEB44B7BCDC96BB9B3D6EF98700F50457AE00DC3393CE68B8458BA1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 8eL
                  • API String ID: 0-2144845364
                  • Opcode ID: 4d58611a3ee75298e695b01f75362f635cc47aac24631ed58ca93a8ce49384bb
                  • Instruction ID: 144394764c28b60b5d782075006612d0d394a30a5456049c524d6f190c6ba9c2
                  • Opcode Fuzzy Hash: 4d58611a3ee75298e695b01f75362f635cc47aac24631ed58ca93a8ce49384bb
                  • Instruction Fuzzy Hash: 5C51A142B0EAC25BF347537868250B5AF91EF9326071981FBE0CDCB4EBD918D94987D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0?_
                  • API String ID: 0-3131538479
                  • Opcode ID: 0b77819f84480a23329d75272633c363945ea6276575da46e1fb6686ca1c82b8
                  • Instruction ID: e0408e6f3211398a5c7661043d96f66f0af53cedcb3f977f95e15c2df821c2ed
                  • Opcode Fuzzy Hash: 0b77819f84480a23329d75272633c363945ea6276575da46e1fb6686ca1c82b8
                  • Instruction Fuzzy Hash: 6A51AE74A08A5D8FEB59EB68D4A9AB977A0FF55311F10416ED00EC32A2DB35E841CB80
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: r6B
                  • API String ID: 0-2064104202
                  • Opcode ID: 255204bcb424ba5c9a7da33b3a97bb6b565a70ca60b0ba30a29075adde7b2a1b
                  • Instruction ID: ceca245ecb966213364d9fdb38a91853b9cf593fda62b2f7b23c9c4db6f7c739
                  • Opcode Fuzzy Hash: 255204bcb424ba5c9a7da33b3a97bb6b565a70ca60b0ba30a29075adde7b2a1b
                  • Instruction Fuzzy Hash: D141F56171DA890FE789AB7C885A679BBD1DF9A215F0841FFE04DC72A3CD189C468381
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: r6B
                  • API String ID: 0-2064104202
                  • Opcode ID: 4ada402c05c8d98dab0939317b880a2f63edd884c941c5f15a632209ea63311d
                  • Instruction ID: 13643b6b0ebcc5e58fed30b38eacb440b85f483258704e75c05db3fdf82f7afb
                  • Opcode Fuzzy Hash: 4ada402c05c8d98dab0939317b880a2f63edd884c941c5f15a632209ea63311d
                  • Instruction Fuzzy Hash: 9731E6A1B189494FE798EB3CD85AB78A6C2EF9D315F0445BEE00EC3293DE189C418381
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: HBL
                  • API String ID: 0-703221453
                  • Opcode ID: f2f5c981c1190e9e347c4ba330070c4750aaa104fdc5d5c7414d8e24645a0713
                  • Instruction ID: 048eac4fcb8aa4f7518127308191de89f3453efe6b315de71353ab65f79338a4
                  • Opcode Fuzzy Hash: f2f5c981c1190e9e347c4ba330070c4750aaa104fdc5d5c7414d8e24645a0713
                  • Instruction Fuzzy Hash: 9041F361E0E146CBF756A738C8566B83791BF56360F658079D40DC72D3EE2CE84A8BD0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 6B
                  • API String ID: 0-3582735225
                  • Opcode ID: 414323c0870bd2ec848f14f9b93f2d4da78aa760490477c7825a26ab2948d73d
                  • Instruction ID: bce3ecebb8defd45a2dac4dac3286be5453122b7ed266ca5d068882787907cf3
                  • Opcode Fuzzy Hash: 414323c0870bd2ec848f14f9b93f2d4da78aa760490477c7825a26ab2948d73d
                  • Instruction Fuzzy Hash: 7631C591B18A0A4FFB45BBBC9C197BD67D2EF99311F0481BAF00DC3293DE1898454791
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: HBL
                  • API String ID: 0-703221453
                  • Opcode ID: 701ed263e4c504efc6c70a70f5364c957bc7c164807cb691771606a12f0f3120
                  • Instruction ID: cf8babdd627302248715dadcb09c54708317fe0a4fa9b781ed69ef7993992fff
                  • Opcode Fuzzy Hash: 701ed263e4c504efc6c70a70f5364c957bc7c164807cb691771606a12f0f3120
                  • Instruction Fuzzy Hash: 9F41DCB0A1D64E8FDB45EB78C851AB9B7B1FF49300F5085B9D04DC7297DD34A4048B90
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 6B
                  • API String ID: 0-3582735225
                  • Opcode ID: af5bc8a9598d27a7605f2b188b7e41a272c1a53a2fd6963e15bcd2ad2e8af120
                  • Instruction ID: 2a20319365f1a108e9f8c89a8bbdf7bc1c2b8b184fe4ae3cebc364bb74f32df7
                  • Opcode Fuzzy Hash: af5bc8a9598d27a7605f2b188b7e41a272c1a53a2fd6963e15bcd2ad2e8af120
                  • Instruction Fuzzy Hash: DB31C291B1890A4BFB84BBBC9C0A7BDA6D6EFD8751F00817AF00DC3293DE18AC454791
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: HBL
                  • API String ID: 0-703221453
                  • Opcode ID: b85ca129c86592ceadb1a54bb46501e173615960e9885d963927e4e1ea92be60
                  • Instruction ID: 1119e9cbff70967862a3ce47caad553bdea065f28faab2111605c198977a0095
                  • Opcode Fuzzy Hash: b85ca129c86592ceadb1a54bb46501e173615960e9885d963927e4e1ea92be60
                  • Instruction Fuzzy Hash: 96313EB1A0D6898FF75AAB3884692787BD1EF66300F5440BFD04DC72E3DE6894458741
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: d
                  • API String ID: 0-2564639436
                  • Opcode ID: 56d244339d48961f4636f2c3e54afc4010be4a4b78daeb2b8e77eb2990924958
                  • Instruction ID: 60f0324538e93fdacfe8010eef3066564c8684c7e5f1d1f95093ff946f97d761
                  • Opcode Fuzzy Hash: 56d244339d48961f4636f2c3e54afc4010be4a4b78daeb2b8e77eb2990924958
                  • Instruction Fuzzy Hash: E321A431D0D65A8FFB01AFB488056E9BBF0EF46354F0541BAD45DD7192DB2CD4488B91
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bf9301eea639fd319febca867eeabcdc13ded8fcef30d6b97fe2a24f98c3501
                  • Instruction ID: 7340200b3d146d57cc25ca4b484800eb0cff48e36b0fc17460bc0c0b8d210b54
                  • Opcode Fuzzy Hash: 6bf9301eea639fd319febca867eeabcdc13ded8fcef30d6b97fe2a24f98c3501
                  • Instruction Fuzzy Hash: 62B1B670609A8D8FEB59DF28C855BE93BD1EF56310F04826EE84DC7292CA34D945CBD2
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 454278300f85f132f258b19591df9a93e387da0dd8494c368dc00ec6f8772f13
                  • Instruction ID: 2775aeb3cac0e36863f8a3e82093f6382f9589406174e6099421b85f0b465318
                  • Opcode Fuzzy Hash: 454278300f85f132f258b19591df9a93e387da0dd8494c368dc00ec6f8772f13
                  • Instruction Fuzzy Hash: 14912CB1E1EA4A8FF755EB38C4456A4B7E1EF55710F4481B6D04DC7193DE28E80A8BC1
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a37ead45cf4a456c7d482cf23f4c4d7061d327b5f314e88df067e6c9a9c8d6d
                  • Instruction ID: 1f7c582a5054d29c3bc09e6beefde50a0baff510d97c5d79f4f4603f8db47b4b
                  • Opcode Fuzzy Hash: 8a37ead45cf4a456c7d482cf23f4c4d7061d327b5f314e88df067e6c9a9c8d6d
                  • Instruction Fuzzy Hash: DF21D761A1D7CA8FF742A7A888655F9BFF1EF43700B4580B6C00EDB2D3DD14584A8B91
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 940663f46e549c6e167dbb4da232eb3928cc6ba3311d1bd3d37245878c0f730a
                  • Instruction ID: 43f05c7d22f3ab7dc527ef1e18f2ed10739c5206ddafa5377cd28a0d38f7e044
                  • Opcode Fuzzy Hash: 940663f46e549c6e167dbb4da232eb3928cc6ba3311d1bd3d37245878c0f730a
                  • Instruction Fuzzy Hash: 3F81B571A0DA49DFEB46EB7CC495AA87BE1FF5A310B0441BAD44DC3292DF28E845CB41
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46f6fecaed4c2b13922ea87dccab50e334bdacd02ba5b54cac4dde39be21b03e
                  • Instruction ID: ad47b564c667c5ef257cd121773dffa0595206bc4bc10a9c2c247ac0ac5a4bec
                  • Opcode Fuzzy Hash: 46f6fecaed4c2b13922ea87dccab50e334bdacd02ba5b54cac4dde39be21b03e
                  • Instruction Fuzzy Hash: BA719171A09A4D8FEB58EB68C845BADBBF1FF55310F1481BAD04DD3292DE34A8458B81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 15bf8ad62070924ecb4a1f512e65780fde5e97c7d1027ba983f0270cbc4d76b8
                  • Instruction ID: 464dcef3a4eb8da1ff5a9472c2e36ae8bc78e2d6d8d073695388de12e71aee57
                  • Opcode Fuzzy Hash: 15bf8ad62070924ecb4a1f512e65780fde5e97c7d1027ba983f0270cbc4d76b8
                  • Instruction Fuzzy Hash: 4C519670A195499FF795EB28D855ABC77F1FF4A700F4081B9E40DC7293DE38A8458B80
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3979493da86f7cc53164a78943e5e9f9cd8670e36bec10af66a89b540cd9fb9a
                  • Instruction ID: 4d4beec9be5011d3c0a48f9b6b3279ecdbbf6cbb395ed5b7fe6cb20f1b5997df
                  • Opcode Fuzzy Hash: 3979493da86f7cc53164a78943e5e9f9cd8670e36bec10af66a89b540cd9fb9a
                  • Instruction Fuzzy Hash: 45516F71918A1C8FDB59DB68D845BE9BBF1FF59310F0082AAD00DE3252DE74A9858F81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e4d1bd1a0a031b0f8682729516ee1c53aa58efed46237aea7752099346129bb
                  • Instruction ID: 5b198e6ff882986bcb5a1ca3ea756fd10c41d1c33229c9c68c355657c2e88c3d
                  • Opcode Fuzzy Hash: 1e4d1bd1a0a031b0f8682729516ee1c53aa58efed46237aea7752099346129bb
                  • Instruction Fuzzy Hash: 3D515F70A18A1C8FDB98EF68D845BEDB7F1FF58311F10826AD44ED3256DA34A8458F81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3584ebd3c987d4a0d1c6d57188b19c502de7a6ace2817a49114f726d638bc0bd
                  • Instruction ID: caaade92eee441ec1b9cab06292484fbf29b40fdb8399d4da60bdba113cef9ee
                  • Opcode Fuzzy Hash: 3584ebd3c987d4a0d1c6d57188b19c502de7a6ace2817a49114f726d638bc0bd
                  • Instruction Fuzzy Hash: 0551D671A0D9498FEB55E778D859AF977F1EF4A310F0541BAE00DC72A2DD28AC46C780
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc4a1820696dcecb1071b55bbc42d56a20b9389251df37fd78e5958a718736cb
                  • Instruction ID: 24835f551a9cfa2677c95676fc54d507a45f4329bfbdf57b3e4cb7ab3c22dad3
                  • Opcode Fuzzy Hash: fc4a1820696dcecb1071b55bbc42d56a20b9389251df37fd78e5958a718736cb
                  • Instruction Fuzzy Hash: CC410971A0D64C8FEB55EB38C805AB97BE1FF4B310F0445BAE00DC7193DA28E8098781
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed8a591f3fd0a66873edb55893aea92393a7158183d4f032b3149f09bb3dd422
                  • Instruction ID: 4878778982d1017b26218758bd66df8ebffc14d14d61ab9bdb47c95fb4778db0
                  • Opcode Fuzzy Hash: ed8a591f3fd0a66873edb55893aea92393a7158183d4f032b3149f09bb3dd422
                  • Instruction Fuzzy Hash: 9541F570A0D64C8FEB55EB38C815AB97BE1FF4A310F4541BAE04DC7193DA28E8598781
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e6ff65e50a976e166d99f1642e2a1407114c8d780de88a5558d67788f8632773
                  • Instruction ID: 9991b89ecf70dca8184ad30a2bd5ec6cffefcb5348eae6af39d42c1dd3629f6e
                  • Opcode Fuzzy Hash: e6ff65e50a976e166d99f1642e2a1407114c8d780de88a5558d67788f8632773
                  • Instruction Fuzzy Hash: A8415471B1891D8FEB94EB7CD459ABDB7E1EF99310F044179E00ED32A2DE24AC418B80
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7cb086af5d02417060e4934d9c908a54623152cdb38b8afe2fab992fde952788
                  • Instruction ID: 9466773f636a50060abdb0a79c2e6ad25ab60c97083c68ad08f6cf015a8fe8c0
                  • Opcode Fuzzy Hash: 7cb086af5d02417060e4934d9c908a54623152cdb38b8afe2fab992fde952788
                  • Instruction Fuzzy Hash: 5521E94B70D5928BE202A35DB8651F9BF90DFC2232708C5B7D28DCA557DA04AD4F87E2
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 361150b149f8c42ef9c9073636621e1e0aac0e7d79b28cc49f6d263239708566
                  • Instruction ID: 957b95b53f5f73eda9fc08ab242a92e84ad52182faff6bc01e404117bd174b33
                  • Opcode Fuzzy Hash: 361150b149f8c42ef9c9073636621e1e0aac0e7d79b28cc49f6d263239708566
                  • Instruction Fuzzy Hash: 7F315B6171C9494BE759A72C58156FAB7C2FF9A360F10427EE44EC3293DE28D80A47C1
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b7983750c1258fabaf71ff1eb7a63400750dfd1f8ff095a5f10ba9dd47223297
                  • Instruction ID: 3afb34caeb3c74d803944bba339a56b9fca421ba88c3935e610ac4103b71b402
                  • Opcode Fuzzy Hash: b7983750c1258fabaf71ff1eb7a63400750dfd1f8ff095a5f10ba9dd47223297
                  • Instruction Fuzzy Hash: DF31A13040D7888FD756DBA8C845AEABFF0EF56320F0482AFD089C7562D764A80ACB51
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4d003283b18979e218a6bd0e32a25ea3497ab1325e01a55ec665a7d3a5cd9d49
                  • Instruction ID: fe5906e956282cf951f3ec44daedb9a3e4b896574ad6738ec7b92208316c10b9
                  • Opcode Fuzzy Hash: 4d003283b18979e218a6bd0e32a25ea3497ab1325e01a55ec665a7d3a5cd9d49
                  • Instruction Fuzzy Hash: 68210931F099098FE759EB3884956BCB6B1EF55360F44817DD00FD32D3DE2898468B81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cdbb18b6945c04c75f2048201515f811b3b9abce1cb2fde1c35cec1a234fc765
                  • Instruction ID: 6fe51cc19d92e5d29275e8ec72d8bd4e761d014c0aa850a2b079989a831786ac
                  • Opcode Fuzzy Hash: cdbb18b6945c04c75f2048201515f811b3b9abce1cb2fde1c35cec1a234fc765
                  • Instruction Fuzzy Hash: 6221E772A1D156CFFB06DB68C8555B077E0FF56360B6980B9C40DCB2D3EA2CE44A8B91
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c25c24dcaa6f37839254d16b8609a628ec27b0698629438c087ea279effdb6a
                  • Instruction ID: 1c892cb37119be33fbd84709590af9fe7b9c511772139647bcca00666580c0f1
                  • Opcode Fuzzy Hash: 5c25c24dcaa6f37839254d16b8609a628ec27b0698629438c087ea279effdb6a
                  • Instruction Fuzzy Hash: B921F650B1D9564BFB42A7BC9C15BB9B7D1EF5A300F5441B9E00DC32D3DD58A8058B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 232baaf8b9989c199ce52efe24ad4e80fede5244599c1ff4c6a929cd45ecc727
                  • Instruction ID: d55cdf9205151ecaa4b0594d291b176365d35cc8c1574b4ff8e476789b47f21d
                  • Opcode Fuzzy Hash: 232baaf8b9989c199ce52efe24ad4e80fede5244599c1ff4c6a929cd45ecc727
                  • Instruction Fuzzy Hash: E021D820A4E58A4FF7469B6888516FA7BF1EF8A200F1480B6E48DC3193DD2CD95687D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf63419cbab4902835550dff0cae60d7304177ccd0f9f557806cc3500b6d34bf
                  • Instruction ID: 1b4169ce621ec6cc3f0fda6104e77448897d1aa8b1298f68a728f5f80316b35f
                  • Opcode Fuzzy Hash: cf63419cbab4902835550dff0cae60d7304177ccd0f9f557806cc3500b6d34bf
                  • Instruction Fuzzy Hash: F5219DB1908A5D8FCB40EF68C8495EE7BF1FF29311F4001ABE409C7292EB389954CB81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f1b48be2d2c83c4d35425ae42c7d17cc1fee57be5d0249237d53f63aeb3b5c5
                  • Instruction ID: 1d1d588ee72894d7e4339575e2ca8179e21172ebad228b49fb58d4585ff5acb6
                  • Opcode Fuzzy Hash: 4f1b48be2d2c83c4d35425ae42c7d17cc1fee57be5d0249237d53f63aeb3b5c5
                  • Instruction Fuzzy Hash: 09118160B1891A8BFB45BBAC9816BB9B2D1EF49700F5041B9F00DC32C3DD58B8058BD1
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 670384c1df63a67e9f25b594a28bea2dcc9220c8eb4472b869a441f453435aee
                  • Instruction ID: 2af5807cb22dc330d8b91942d5bf121c301b2259d6056f13a24ba044f254be46
                  • Opcode Fuzzy Hash: 670384c1df63a67e9f25b594a28bea2dcc9220c8eb4472b869a441f453435aee
                  • Instruction Fuzzy Hash: 1D110661F1CA9A8FFB97E76854562B977D1EF9A310B0441B6E00CC3282DD18A80947D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8c01823d0fc9c9dd72ede0ff81b6b94d937da9a63795c1bf3a4b086ba9e66b9
                  • Instruction ID: c4165a47a4cdc8f93369ed9e715704a7f3b1d43d21a36dfe273f0dbd512484f3
                  • Opcode Fuzzy Hash: b8c01823d0fc9c9dd72ede0ff81b6b94d937da9a63795c1bf3a4b086ba9e66b9
                  • Instruction Fuzzy Hash: 2A01D6B1F1A90B86F748FB38C8866E8B290EF14711F408679D00FC21D3DD29F80A4AD0
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a028376e437614cef36ad2acfea003290fb3b54096b005a805db8b8897a8553
                  • Instruction ID: a6d372c0643047f09fe492ce2642d22a132dd7808f86b20d5b737c759aac7e89
                  • Opcode Fuzzy Hash: 4a028376e437614cef36ad2acfea003290fb3b54096b005a805db8b8897a8553
                  • Instruction Fuzzy Hash: 88F09039468B4D8FDB41BB6488051AA7BB0FB15314F45069AE82DC7192E735E6648B82
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67f5233e664148ca048517e1595081ff2d4a2ba193d2839b9291da4ad3045af8
                  • Instruction ID: 6ef2105ad1460e63ae006523adc1c8d57ad5549d0ba881cbc86b6a6afb1e1833
                  • Opcode Fuzzy Hash: 67f5233e664148ca048517e1595081ff2d4a2ba193d2839b9291da4ad3045af8
                  • Instruction Fuzzy Hash: 62F08171E0D406CBF352DB29C441AB473A2BF56360F608639D00DC21D2DF38F8A68AC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: df03e010c1d320ab99f3e7caf3e6c32cb9b0adbf9ec5c4daf8811b1901ab467e
                  • Instruction ID: 18718dc590ca6c193f240bf3d46b6c8957332c9d6879b3177f946e85e67966e3
                  • Opcode Fuzzy Hash: df03e010c1d320ab99f3e7caf3e6c32cb9b0adbf9ec5c4daf8811b1901ab467e
                  • Instruction Fuzzy Hash: 88D0C215C5E5838FE20733B81C424907B209F03261F8983A2C09C82083DD9C619B47A2
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bb077a0a881d0d03878113b9b9028be26177b998651d3442285af9b8862a6464
                  • Instruction ID: e74d84564a22b234e2449ebbd1f503fcec0d8fa851febdae7d1442ad2f6529ea
                  • Opcode Fuzzy Hash: bb077a0a881d0d03878113b9b9028be26177b998651d3442285af9b8862a6464
                  • Instruction Fuzzy Hash: 77E0EC6698F7C14FC30767784C661883F306E57211F9B42E7C084CE4A3E21DA949C762
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f5126a02a73db16502306162ad1732f7eae5236e3751eb3d90fee572b05ed999
                  • Instruction ID: 39ab2a1a8858441639faf99be1c1de5f53398ec19a889959ab90f9e452e4e6a7
                  • Opcode Fuzzy Hash: f5126a02a73db16502306162ad1732f7eae5236e3751eb3d90fee572b05ed999
                  • Instruction Fuzzy Hash: 27D05E60E0F046D1F22337358805AFA14A46F87390F228135E00E910D79E98A4AC4BE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 171f5e95479c2d695c9e37bfdb648ea9d0111225c4f9e5625e60cc823d1bfb13
                  • Instruction ID: 2dfed526de692b70b64e38e69e44a4318a4d37af9a12e9d97e09500ff6114262
                  • Opcode Fuzzy Hash: 171f5e95479c2d695c9e37bfdb648ea9d0111225c4f9e5625e60cc823d1bfb13
                  • Instruction Fuzzy Hash: F7B01200E5780740B4093375088706474215F4B340FE141B0D41CC0087F84D909E05C2

                  Non-executed Functions

                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8c289bc3f50501807439bd6731bd62e0130adc528631b95f1a9d5df7d08e2794
                  • Instruction ID: bfd006069ba5c75bf078f806fb19378b520238ece1150c03824649e1b24b60b2
                  • Opcode Fuzzy Hash: 8c289bc3f50501807439bd6731bd62e0130adc528631b95f1a9d5df7d08e2794
                  • Instruction Fuzzy Hash: 3FD1C13090DA4C8FDB59DB68D845BE9BBB1EF56310F0482AED04DD32A2DF34A945CB81
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 290a192336127ce6c453ddfab9fc2b3e5b967b0cf65fd497144f91123d6508ed
                  • Instruction ID: 5bc971089e19d559961e1b4071e1895a046eeebac5eeea0f73ebf6944a094da8
                  • Opcode Fuzzy Hash: 290a192336127ce6c453ddfab9fc2b3e5b967b0cf65fd497144f91123d6508ed
                  • Instruction Fuzzy Hash: 26C1E731A0CB4D8FDB19DBA8D8456E9BBF1EF96321F04826ED04DD3252DE74A805CB91
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b74d66a781efb33d1a069f39171faa55ec908c56c4de6fc4caa67b718cfb0f57
                  • Instruction ID: a16e2a5a6ba7c8ab452b63727cce34630bce8d3626e73fd62a7470bc2c26f087
                  • Opcode Fuzzy Hash: b74d66a781efb33d1a069f39171faa55ec908c56c4de6fc4caa67b718cfb0f57
                  • Instruction Fuzzy Hash: 3F91E530A0D74C8FDB59DB68D8556F9BBE1EF56310F0482AED04ED32A2DE74A845CB81
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3919929756.00007FFAAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaac1b0000_011K3SJvSf.jbxd
                  Similarity
                  • API ID:
                  • String ID: N_^$N_^$N_^$N_;
                  • API String ID: 0-2620560867
                  • Opcode ID: 1d28d986a702d600c8abb8e16cd79f400feb0b3a554320b9fd41bfdba41a414f
                  • Instruction ID: 8008922f1dbdf91089f8a1fab6be9ec4691be6c34590d99c7dea525f44e8c895
                  • Opcode Fuzzy Hash: 1d28d986a702d600c8abb8e16cd79f400feb0b3a554320b9fd41bfdba41a414f
                  • Instruction Fuzzy Hash: 7121D3A7E0EA828BF31397189CA50E56BD0EF52B15B0944BAC59D87153FE28642E4AC1