Edit tour

Windows Analysis Report
qlGJTKUY7O.exe

Overview

General Information

Sample name:qlGJTKUY7O.exe
renamed because original name is a hash value
Original sample name:de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c.exe
Analysis ID:1600638
MD5:11438178690245614874f6b764556d70
SHA1:07c91998055fc8babee116468d38f269400ced65
SHA256:de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c
Tags:176-113-115-225bookingexeuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • qlGJTKUY7O.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\qlGJTKUY7O.exe" MD5: 11438178690245614874F6B764556D70)
    • WerFault.exe (PID: 5424 cmdline: C:\Windows\system32\WerFault.exe -u -p 6200 -s 1528 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
{
  "C2 url": [
    "176.113.115.225"
  ],
  "Port": 4444,
  "Aes key": "P0WER",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
qlGJTKUY7O.exeJoeSecurity_XWormYara detected XWormJoe Security
    qlGJTKUY7O.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x9a92:$str01: $VB$Local_Port
    • 0x27498:$str01: $VB$Local_Port
    • 0x9afe:$str02: $VB$Local_Host
    • 0x27504:$str02: $VB$Local_Host
    • 0x83ee:$str03: get_Jpeg
    • 0x25df4:$str03: get_Jpeg
    • 0x8990:$str04: get_ServicePack
    • 0x26396:$str04: get_ServicePack
    • 0xa7be:$str05: Select * from AntivirusProduct
    • 0x281c4:$str05: Select * from AntivirusProduct
    • 0xaefc:$str06: PCRestart
    • 0x28902:$str06: PCRestart
    • 0xaf10:$str07: shutdown.exe /f /r /t 0
    • 0x28916:$str07: shutdown.exe /f /r /t 0
    • 0xafc2:$str08: StopReport
    • 0x289c8:$str08: StopReport
    • 0xaf98:$str09: StopDDos
    • 0x2899e:$str09: StopDDos
    • 0xb08e:$str10: sendPlugin
    • 0x28a94:$str10: sendPlugin
    • 0xb10e:$str11: OfflineKeylogger Not Enabled
    qlGJTKUY7O.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xbb38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x2953e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xbbd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x295db:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xbcea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x296f0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xb7aa:$cnc4: POST / HTTP/1.1
    • 0x291b0:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb938:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb9d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xbaea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb5aa:$cnc4: POST / HTTP/1.1
      00000000.00000002.2670364525.0000000002F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: qlGJTKUY7O.exe PID: 6200JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.qlGJTKUY7O.exe.ab0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.qlGJTKUY7O.exe.ab0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x9a92:$str01: $VB$Local_Port
            • 0x9afe:$str02: $VB$Local_Host
            • 0x83ee:$str03: get_Jpeg
            • 0x8990:$str04: get_ServicePack
            • 0xa7be:$str05: Select * from AntivirusProduct
            • 0xaefc:$str06: PCRestart
            • 0xaf10:$str07: shutdown.exe /f /r /t 0
            • 0xafc2:$str08: StopReport
            • 0xaf98:$str09: StopDDos
            • 0xb08e:$str10: sendPlugin
            • 0xb10e:$str11: OfflineKeylogger Not Enabled
            • 0xb266:$str12: -ExecutionPolicy Bypass -File "
            • 0xb88f:$str13: Content-length: 5235
            0.0.qlGJTKUY7O.exe.ab0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xbb38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xbbd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xbcea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xb7aa:$cnc4: POST / HTTP/1.1

            System Summary

            barindex
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 176.113.115.225, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\Desktop\qlGJTKUY7O.exe, Initiated: true, ProcessId: 6200, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:51.417290+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:47:57.037211+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:01.483420+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:11.769294+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:11.782998+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:21.634752+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:27.151730+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:27.159381+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:31.713469+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:40.215397+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:42.884882+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:43.008606+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:43.777041+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:48.088581+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:52.666514+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:56.635555+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:48:56.946966+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:00.026250+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:05.010393+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:05.132930+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:08.980030+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:09.121936+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:09.243863+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            2025-01-27T19:49:09.486029+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:51.494628+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:01.485753+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:11.778914+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:21.636877+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:31.715310+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:40.217657+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:42.887449+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:43.010205+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:43.779456+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:48.101526+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:52.670400+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:48:56.637669+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:00.030174+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:05.014088+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:05.134931+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:08.982209+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.135998+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.249643+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.373699+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.381253+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.494299+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.613514+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            2025-01-27T19:49:09.621172+010028529231Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:57.037211+010028588011Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849706TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-27T19:47:51.194552+010028588001Malware Command and Control Activity Detected192.168.2.849706176.113.115.2254444TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: qlGJTKUY7O.exeAvira: detected
            Source: qlGJTKUY7O.exeMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.225"], "Port": 4444, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Source: qlGJTKUY7O.exeVirustotal: Detection: 71%Perma Link
            Source: qlGJTKUY7O.exeReversingLabs: Detection: 84%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: qlGJTKUY7O.exeJoe Sandbox ML: detected
            Source: qlGJTKUY7O.exeString decryptor: 176.113.115.225
            Source: qlGJTKUY7O.exeString decryptor: 4444
            Source: qlGJTKUY7O.exeString decryptor: P0WER
            Source: qlGJTKUY7O.exeString decryptor: <Xwormmm>
            Source: qlGJTKUY7O.exeString decryptor: XWorm
            Source: qlGJTKUY7O.exeString decryptor: USB.exe
            Source: qlGJTKUY7O.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: qlGJTKUY7O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.pdb` source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbnTEM] source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDB8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: lib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC411.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Xml.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC411.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdb0 source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2669850759.0000000001002000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BE1E000.00000004.00000020.00020000.00000000.sdmp, WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Management.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb" source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC411.tmp.dmp.8.dr
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdbSystem.Drawing.ni.dll source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb! source: WERC411.tmp.dmp.8.dr

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49706 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.225:4444 -> 192.168.2.8:49706
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49706 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.225:4444 -> 192.168.2.8:49706
            Source: Malware configuration extractorURLs: 176.113.115.225
            Source: global trafficTCP traffic: 192.168.2.8:49706 -> 176.113.115.225:4444
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: qlGJTKUY7O.exe, 00000000.00000002.2670364525.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net

            System Summary

            barindex
            Source: qlGJTKUY7O.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: qlGJTKUY7O.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.qlGJTKUY7O.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.qlGJTKUY7O.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeCode function: 0_2_00007FFB4AD864C60_2_00007FFB4AD864C6
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeCode function: 0_2_00007FFB4AD872720_2_00007FFB4AD87272
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeCode function: 0_2_00007FFB4AD8A2440_2_00007FFB4AD8A244
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6200 -s 1528
            Source: qlGJTKUY7O.exe, 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs qlGJTKUY7O.exe
            Source: qlGJTKUY7O.exeBinary or memory string: OriginalFilenameXClient.exe4 vs qlGJTKUY7O.exe
            Source: qlGJTKUY7O.exeBinary or memory string: OriginalFilenameGOO.dll( vs qlGJTKUY7O.exe
            Source: qlGJTKUY7O.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: qlGJTKUY7O.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: qlGJTKUY7O.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.qlGJTKUY7O.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.qlGJTKUY7O.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: qlGJTKUY7O.exe, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: qlGJTKUY7O.exe, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: qlGJTKUY7O.exe, ocdWY4uta2L6F.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeMutant created: NULL
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeMutant created: \Sessions\1\BaseNamedObjects\pWbxsRP5Z5tLW4V1
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6200
            Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\43e3cdbf-968a-446b-bad7-baa9cdb135beJump to behavior
            Source: qlGJTKUY7O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: qlGJTKUY7O.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: qlGJTKUY7O.exeVirustotal: Detection: 71%
            Source: qlGJTKUY7O.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeFile read: C:\Users\user\Desktop\qlGJTKUY7O.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\qlGJTKUY7O.exe "C:\Users\user\Desktop\qlGJTKUY7O.exe"
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6200 -s 1528
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: qlGJTKUY7O.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: qlGJTKUY7O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.pdb` source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbnTEM] source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDB8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: lib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC411.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Xml.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC411.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdb0 source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2669850759.0000000001002000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BE1E000.00000004.00000020.00020000.00000000.sdmp, WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Management.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671616662.000000001BDBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb" source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC411.tmp.dmp.8.dr
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: qlGJTKUY7O.exe, 00000000.00000002.2671456563.000000001B839000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdbSystem.Drawing.ni.dll source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdb source: WERC411.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERC411.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb! source: WERC411.tmp.dmp.8.dr

            Data Obfuscation

            barindex
            Source: qlGJTKUY7O.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH._7ou4q3URxUtrcBhAksV8MILst8vvfhGZzz84cTowdPeJNJqpazaC0zcplhKSCF9TGZGal9qwtbeNZDXuM4ysc7,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.B5vObioagoHeuBETToqXO7c4SBvzgegJ2rVxzrn97Z01VyClBh4RfVnBpn3uLZmwBfvDkA7hA0zjL4bYk2F9Lw,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.MGHflsToeaIGYe2QlJGLifoJfKHFMzr3e7F5gXl32IYYefKteaV3QAP8fQuyq1nSYPUyb4dRKPWQTfFJrBKDJn,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.JavtZpWbEUzyaboWUx5EzFRMnopkNEbRbaMCyBm6SCxx4PxjVvD0SD2eCoxY6CvuIPhM1bDKYzUwSKBPVNSu3Q,_75nEg0zZR0dHe.a5l48OPDiZ3ML()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: qlGJTKUY7O.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{N6aiy2oVGGWRy[2],_75nEg0zZR0dHe.UcVmBdslgVk5f(Convert.FromBase64String(N6aiy2oVGGWRy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: qlGJTKUY7O.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx System.AppDomain.Load(byte[])
            Source: qlGJTKUY7O.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf System.AppDomain.Load(byte[])
            Source: qlGJTKUY7O.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf
            Source: qlGJTKUY7O.exe, b4uun3ISTXKnf.csHigh entropy of concatenated method names: 'YCjMUCUaS1W51', 'nBYZp8mEKNdCM', 'A0fHqAYUq6yHF', '_1mVdS59RD9WRXjpk4dgLoY55DRM5wYkWRMGMMurlj3LIOgyP', 'fHMQFoqEOaRpZM5LGroxVJm37fqi9jUrbA6e0tMx0g2V8mYW', 'LoB5UwuYY5RTRpo7KYVsQo0M18w3Nqjvx6hFEJtWrmEhpNS8', '_8xzyi24VkTi5m5Gsy7XUUolTzE6ThsmXs6bUc1FmIJiIWf1C', '_0fb1PXYa6kb1Rh7XSfKSHk6h0u9Dpwhkn0aPYGvFcLJ9j5gx', 'muNz9fBp8MEGjEaAaR4gHkqhVUn1c7430siPvrb9kzSiFIcm', 'br3It0Vta53HcAKawwe4bhthaz6XVj4dQqIhe3SzkIF6mbdR'
            Source: qlGJTKUY7O.exe, Okx2cEcCTYefVQm6EymR3DAHXaTSljZM45uWUuKfmTQXlObkYx2hI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qhoRWWDGbIaBYf1xlc2ObtVWJaKjgV1', 'DymWxUA0Gzkq60kzVxmAsWvR6nPAUbA', 'VRGwbt4QosOEYZDJMW6oiZAv0pO17cG', 'yUA6AUHSQfBMMR68GOUobZVEBz10NVn'
            Source: qlGJTKUY7O.exe, 6jI32o4ws06OX.csHigh entropy of concatenated method names: 'RaiFrYHEhVkGS', 'hx6hnTTFdwvcvMmU5tfd16J2MYSLJ0eJ6OI49uozqUzfAV2hp9pL3WXmxeqoyAR', 'cNGApf86khPqX7UFOcOQ1vxse4iSyACnzfVfGwGsr2VBKXVV9zlAAxqefX2ESAr', 'A59evJghrlNxzbqc6Ps2fGGXCHRposxsPG3o30QgIEcDchw2DXYQuOTjARh5Abl', '_6zBH6zRaU2H1LVlnglmQDC83mL96YyuygQvcn37k0CYYQ5ofHgMOFoWn6791yKg'
            Source: qlGJTKUY7O.exe, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csHigh entropy of concatenated method names: 'PCMd3nft0XRAEjjfTvQ9XSikDVDfw1SFeuJjcMNu23L9ut7hUam2JtbvJNG9Q1LtII1NXrvJ1pXXQSrlwu1LGA', 'Jd7dipyiHVKFnnn5TtLlCT4QqQcZ1LcpveZHXmyGRURwhmIt91DiUsUw2JHJYqACligP1uXjRP19gLBuHeVNXP', 'lqsu07OmfboE51hkKcFQZfOeohQgdsXJpwH19tPJIxbnloG0EQElOpFNlXw1YWFWHdBtCAUCGx7RzUPrp0vj6O', 'Pl2rLE4NFtvwpuxh9sQICrTA02puQ3l0wmGobDtKEtDQYp9NtFnsr0yJ4EXv69vEnPqN47QpRHNc0MkAuxuG3X', 'KdVFbPcZtmc5qWDmWAxenzBQZsFj2y1IkVJrkWTaZqy4RN5x7X4UJCZPqGfR1nIGQKiSLvDck0jrhrNMj4Zhvt', 'sWK8vuJRm8M7VFNfVet38IXxMDOBVpNoEvoaJOy2fXnYDixgCoJOZUvyQExFEXEIJedbrENkdjo3JUdsqHJdHg', '_78E00qSUqiwXMsuRg9AR5r0Et06xyxHKa0yYgelPQWb9XWLYWB4QHANvr24N0UIz7XMOPBk4xHjZRn2irwSEm6', 'Kn2ickZPGCnkIfx2SIh0FyIsImdy0JdL95XdZq2zkx2ARnyABIA01bCELcv0k43JTab4APMbIIb4YBAdNd6fZG', 'a0uJIUhDNBBBOsnT1speyYAmyNBYhRuHZ6DqkqZKWSSvHYpDrB0WRRXcgd7rVvs4H7iax7ntPSkFgBGt4PpWRr', '_72TWMwDUPUengDslxZ7ashZ9blkvIyPqCf8HrPSykCuRkJtI24TRm4hbjqsd3YPrTmShlG573OHlL5nTRSqa1t'
            Source: qlGJTKUY7O.exe, 75nEg0zZR0dHe.csHigh entropy of concatenated method names: '_5deq5ZMjXSyOV', '_1ylcOTS7IequM', 'Jec3M7x8OHYHU', 'XFGNrMmv4br0v', '_1UPCebSNb17oS', 'ZWHoZcMAqG9NM', 'b2F5a7qBXz5Vo', 'yxkqiLSPeeleq', 'xbsVGOJehhaH3', '_2QsbjhSfy2vJi'
            Source: qlGJTKUY7O.exe, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.csHigh entropy of concatenated method names: '_1nUdV8zCgrBa3pV3QCLM48pI7PGiNwJLvkgLDquedBS0T55d2IBdIKrGglAUEGkd3y4QntF', 'ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx', 'Fqv6NSSymAkmG1Tv6yUOrZ1GG2fbAU7RdkKa1NI9XlVZ6MhApGbUjYA1ZrP9nbK4WaYQWO6', 'NN4ROQ4RugYSKZgXWTebgYaOkvNaAjJLJwZ4WGeS1tFDMHcXwQWLIXcAcxQT9SrJVlS5idE', 'A8u0DQJPq3SvcF1uAdysGKN9Evjx3OQ7rrDcxaJUNmcNtWxHKL5npGDS8Jvg48bYqJTvHCs', 'hm6KXVdf3MWpMoAIsalbhUDSQJwI8Ei27WKvbTt5UVmAEOSCzCom2ybLOPDTY6NKIgssTG5', 'ikPkXINAQMgiz2gNKsResrVJD5I3SwrfAxRQfhldfRVkkXrgfnoxbjRw0b4jEd2hAw5nOyj', 'UtsfbvVmPY2OOjmvLR2JLhy36YRk6vk96eYY8K6gzyUGtVUiyqWf8ry33MA7oYVqMX2thcx', 'W3YjdpEgWQybF', 'Fh9HwxHIZFa4I'
            Source: qlGJTKUY7O.exe, ocdWY4uta2L6F.csHigh entropy of concatenated method names: '_6ZbrahaikQCcd', 'zs2tTgBzWM2mD3yMJQAVREjQu4hieQ4zJOhnrEN0B7Iai5Bj5S1qmooPZamjemY', 'qldTlCiD7qExb6p4FxM2p1D1P4wVYjKrUvg5ITB3mJe01cpffWrLtj0juPPuHby', 'Ee2Ud3UssTJpmjLUQoJ1fHkbl0dggJMamVcMoQhRFOMYQ9wxb7t3njBLekP1Swq', 'pDUvkqaLWIjKFi4nijh2Jb8W1I4Otb9JmwPdWMYUbQEZzafaxgSof1cPOmsujXC'
            Source: qlGJTKUY7O.exe, zdtkXphm1qUGTOgxhhi6mhj0ZkS1NHj4NF8FjvfZJNSQEp8xxlOX8RlyrbWrOff2QnlKL3srkSeTIIF5qlGNY2.csHigh entropy of concatenated method names: 'yi6PZbY6haSeIP2qzmu8X8djxweLUaPHTLfzJhTrpBjyISPgxoNbD967E6KaCuklnmMJqhQEKm5AGpsuhm5pSN', 'HVGwB1qYNdzDwmFsbSmVov1zNXLwLT8QXhkHsqMK44ZYNBPnRY6H1fTBuMr2Fx1Kxph0CctRvpO1SwTuptCjNO', 'wSQ1TOl0Qw1PGzDkvkXh7wUppmfQM5treEokthCDrGK39TWWXnydBfcdbFG6XjbJC6y3aqqxtbCO6ApGxw2tL6', 'N13xUgTiqRGgZcZSLgqtUAuBlIiSpr5', 'f1eW6VvNCHDPH0jcJOhj3UvX2FcBwMa', 'y59PbByil3pLYv7mufMbV2KNL8dC9TO', 'jBQxblwueNcd01bwF0d8OHwlr1FFL32', 'DK7dv84vaZIzUWLkljXYRsgtl2JmFc6', 'WaxLR0sqXoIPzoMu91Boe8hzh7EaW0z', 'cZKh39JIUQn9kJXDoNgi5yfVlokWVJj'
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeMemory allocated: 1AF80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeWindow / User API: threadDelayed 5771Jump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeWindow / User API: threadDelayed 4066Jump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exe TID: 2800Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exe TID: 3060Thread sleep count: 5771 > 30Jump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exe TID: 3060Thread sleep count: 4066 > 30Jump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.8.drBinary or memory string: VMware
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
            Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: qlGJTKUY7O.exe, 00000000.00000002.2669850759.0000000001002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.8.drBinary or memory string: vmci.sys
            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.8.drBinary or memory string: VMware20,1
            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeQueries volume information: C:\Users\user\Desktop\qlGJTKUY7O.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\qlGJTKUY7O.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: qlGJTKUY7O.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.qlGJTKUY7O.exe.ab0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2670364525.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: qlGJTKUY7O.exe PID: 6200, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: qlGJTKUY7O.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.qlGJTKUY7O.exe.ab0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2670364525.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: qlGJTKUY7O.exe PID: 6200, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Process Injection
            1
            Disable or Modify Tools
            OS Credential Dumping131
            Security Software Discovery
            Remote Services11
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            141
            Virtualization/Sandbox Evasion
            LSASS Memory141
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection
            Security Account Manager1
            Application Window Discovery
            SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS13
            System Information Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing
            LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1600638 Sample: qlGJTKUY7O.exe Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 17 Suricata IDS alerts for network traffic 2->17 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 10 other signatures 2->23 6 qlGJTKUY7O.exe 2 2->6         started        process3 dnsIp4 15 176.113.115.225, 4444, 49706 SELECTELRU Russian Federation 6->15 25 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->25 10 WerFault.exe 19 16 6->10         started        signatures5 process6 file7 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->13 dropped

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            qlGJTKUY7O.exe71%VirustotalBrowse
            qlGJTKUY7O.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            qlGJTKUY7O.exe100%AviraTR/Dropper.Gen
            qlGJTKUY7O.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            176.113.115.2250%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            176.113.115.225true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.8.drfalse
              high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameqlGJTKUY7O.exe, 00000000.00000002.2670364525.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                176.113.115.225
                unknownRussian Federation
                49505SELECTELRUtrue
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1600638
                Start date and time:2025-01-27 19:46:12 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 53s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:qlGJTKUY7O.exe
                renamed because original name is a hash value
                Original Sample Name:de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@2/5@0/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 52
                • Number of non-executed functions: 2
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.42.65.92, 4.175.87.197, 13.107.246.45, 20.190.159.64
                • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target qlGJTKUY7O.exe, PID 6200 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtSetInformationFile calls found.
                TimeTypeDescription
                13:47:40API Interceptor2323218x Sleep call for process: qlGJTKUY7O.exe modified
                13:49:17API Interceptor1x Sleep call for process: WerFault.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                176.113.115.225176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SELECTELRU176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                  • 176.113.115.225
                  p199AjsEFs.exeGet hashmaliciousAmadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, StealcBrowse
                  • 176.113.115.163
                  VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                  • 176.113.115.96
                  grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                  • 176.113.115.215
                  random.exeGet hashmaliciousAmadey, Socks5SystemzBrowse
                  • 176.113.115.96
                  random.exeGet hashmaliciousSocks5SystemzBrowse
                  • 176.113.115.96
                  SeP4o9Jp8A.htaGet hashmaliciousAmadey, AsyncRAT, PureLog Stealer, VidarBrowse
                  • 176.113.115.163
                  No context
                  No context
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.2168378994787208
                  Encrypted:false
                  SSDEEP:192:OOQBk/081iHxaWz8iyolHmF3WzuiF9Z24lO8i:XQBP81iRa48irGUzuiF9Y4lO8i
                  MD5:9350AAF68392DCF48F8332F98614BC70
                  SHA1:FB7C5105C52438B747253E5E83F22D78AA8C5E8C
                  SHA-256:44068A51064157C3167941A64E4CC876187840C640007FADDD6A10416B6EFF5A
                  SHA-512:FC2C8646F0E5E2AD2C2740318CF6F54B09FFA46EA31B611BC662A07F97DA8245E7FE8C49A887AB570995D50B02185358E1C1E6011BA25ECD00E7F7BBE9E7D695
                  Malicious:true
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.4.7.7.3.5.1.0.3.7.7.0.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.4.7.7.3.5.1.7.2.5.1.9.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.f.d.4.2.b.7.-.a.1.0.5.-.4.6.5.4.-.a.d.a.2.-.b.a.4.8.e.d.d.b.e.2.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.b.d.a.1.6.5.-.d.6.2.5.-.4.2.2.3.-.b.1.e.d.-.b.9.9.5.7.6.8.b.0.e.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.q.l.G.J.T.K.U.Y.7.O...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.8.-.0.0.0.1.-.0.0.1.4.-.6.1.7.7.-.d.c.e.b.e.b.7.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.d.1.8.d.5.b.e.a.5.3.0.4.3.9.3.8.2.6.d.0.0.1.b.b.1.0.a.a.8.a.b.0.0.0.0.0.0.0.0.!.0.0.0.0.0.7.c.9.1.9.9.8.0.5.5.f.c.8.b.a.b.e.e.1.1.6.4.6.8.d.3.8.f.2.6.9.4.0.0.c.e.d.6.5.!.q.l.G.J.T.K.U.Y.7.O...e.
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Mini DuMP crash report, 16 streams, Mon Jan 27 18:49:11 2025, 0x1205a4 type
                  Category:dropped
                  Size (bytes):511453
                  Entropy (8bit):3.114171460971814
                  Encrypted:false
                  SSDEEP:3072:K0kdbG5s3+vv0UFWzRl4tMPYb9Y/cSpPw1C4gYAk9iYj1CCqoB5Dpx:K0kdqC3QSlMMPYb98pk5fgY7qG5Vx
                  MD5:B5513FE0A404DAC29E0D02434CA84B58
                  SHA1:A804C0DFAD25795C184CC7652677CA74B0072055
                  SHA-256:2C29D8FE35EE0505D6CBA144963E4D25C257CA9C57C570B5EDF08B36F7AF96E7
                  SHA-512:B17C4FA21AAB748CF4BDE50B991957D06C0EEF77941B071E4B98D1397AC54AA7F7F5BFD9471D54C4CA61AC7185FB8E49BDCAE0B39AC3399C74C04AFA19A38506
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... .......'.g........................H...$.......$...l&......d....&......T7.............l.......8...........T............;...............3...........5..............................................................................eJ......x6......Lw......................T.......8.....g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8904
                  Entropy (8bit):3.7093251908469163
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJ2jlqY6YSCnmgmfZy8zprW89bnv1PfmDf5tm:R6lXJYlr6YXmgmfIQn9PfmDfK
                  MD5:A5D03A138098C076BB4934932900DC8D
                  SHA1:5D5AE3ABA03F41BAC54EA83B0BD81DF7007ED65D
                  SHA-256:247138A0DB85E42DCFD2B3873775D72B38DD251385AC3F3B168C6EC76916234F
                  SHA-512:14ADFF7F0FAAA456BBB68EC902C019D8A8D126D98A64EDBB596E63F7409D20B475EAABEF8E0D6AA67EFCD7D78D05093B7620E2A3BDCF9FDDDE2641B0F9C7B1D2
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.0.0.<./.P.i.
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4780
                  Entropy (8bit):4.475809465960582
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsZJg771I9i9WpW8VYqKYm8M4JqnFfymyq8vvlGG7Td:uIjfrI7VM7VnjJNmWNF7Td
                  MD5:DDE86D3D05CE408B21710D79D9175837
                  SHA1:6D095AD41EB144266DB744BF5AE3C7FE4727E9B0
                  SHA-256:E833B22B863F7BD9ECE44EA9B4FF9EA8CA00BFF63480868FD4E0566B348A2115
                  SHA-512:7DD998DEC8413AB8F6F9D1EF2B8EE34986B0DEDA03A345E5947A6B72F90BAD7B99485946E54CE6145FAE91EBFF14B79D9B34A605B047A862D7A75D024FAE29E5
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="694671" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.372267423097939
                  Encrypted:false
                  SSDEEP:6144:JFVfpi6ceLP/9skLmb0hyWWSPtaJG8nAge35OlMMhA2AX4WABlguN2iL/:fV1byWWI/glMM6kF7Qq/
                  MD5:164844D4BC20A3910ACFF46155C24B6E
                  SHA1:0C876422D1E854500E2502C7934EF7BC63FC884D
                  SHA-256:2EF0773316151E0676F07038C79C7E47A87E782614D10F055D8B546DC0020EE2
                  SHA-512:2B59FD356E4A0E4448EF75859A06A86273F97E37FFAAA51876BC25EF4F75EFC767BC8F71D3ADB06D85A953F9E86B1F4CA44977AA167C21F52BE3EB4D84F34375
                  Malicious:false
                  Reputation:low
                  Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..,'.p...............................................................................................................................................................................................................................................................................................................................................;.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):6.6429573436509255
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:qlGJTKUY7O.exe
                  File size:242'769 bytes
                  MD5:11438178690245614874f6b764556d70
                  SHA1:07c91998055fc8babee116468d38f269400ced65
                  SHA256:de2caf0c3b99a460e5814236acb8d0015553a694ce41ee1cc67bb3576f356a6c
                  SHA512:0cbfb9f8a239812966e76c8205f781c722188b6ffe4d95736563a387b5843783f85a2549028366b1af0499f7decb2069043096de355270ca60ca93cb2b1da52a
                  SSDEEP:3072:dKQ838htC1xXkbE7sO9HqtlrxNeLR1VfBKQ838htC1xXkbE7sO9HqtlrxNeLR1VT:dSs8UbptxnqR1TSs8UbptxnqR1h
                  TLSH:E934E79C736072DFC8ABD5719EA82C64EB70757B830B4617A457029EAE0D98BCF141F2
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.g............................n.... ........@.. .......................@............@................................
                  Icon Hash:00928e8e8686b000
                  Entrypoint:0x40f26e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x679270D9 [Thu Jan 23 16:39:53 2025 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf2200x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x4ce.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xd2740xd400b7405d31711236f0e57e5ae179990193False0.6131522700471698data6.053995047071589IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x100000x4ce0x600b6854ead75e0aea5a0ec3175723e462fFalse0.3736979166666667data3.7184457289766475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x120000xc0x2006337b9e9d5046d21cbc9e9adf359daaaFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x100a00x244data0.4724137931034483
                  RT_MANIFEST0x102e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                  DLLImport
                  mscoree.dll_CorExeMain

                  Download Network PCAP: filteredfull

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-27T19:47:51.194552+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:47:51.417290+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:47:51.494628+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:47:57.037211+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:47:57.037211+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:01.483420+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:01.485753+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:11.769294+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:11.778914+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:11.782998+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:21.634752+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:21.636877+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:27.151730+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:27.159381+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:31.713469+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:31.715310+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:40.215397+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:40.217657+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:42.884882+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:42.887449+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:43.008606+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:43.010205+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:43.777041+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:43.779456+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:48.088581+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:48.101526+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:52.666514+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:52.670400+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:56.635555+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:48:56.637669+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:48:56.946966+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:00.026250+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:00.030174+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:05.010393+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:05.014088+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:05.132930+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:05.134931+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:08.980030+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:08.982209+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.121936+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:09.135998+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.243863+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:09.249643+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.373699+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.381253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.486029+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849706TCP
                  2025-01-27T19:49:09.494299+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.613514+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  2025-01-27T19:49:09.621172+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849706176.113.115.2254444TCP
                  TimestampSource PortDest PortSource IPDest IP
                  Jan 27, 2025 19:47:40.936048031 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:47:40.940860987 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:47:40.940938950 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:47:41.119703054 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:47:41.124778032 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:47:51.194551945 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:47:51.199675083 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:47:51.417289972 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:47:51.467880011 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:47:51.494627953 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:47:51.499484062 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:47:57.037210941 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:47:57.092892885 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:01.265467882 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:01.270340919 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:01.483419895 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:01.485753059 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:01.491880894 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:11.343321085 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:11.348262072 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:11.769294024 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:11.778913975 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:11.782998085 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:11.783047915 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:11.783710003 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:21.421437025 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:21.426238060 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:21.634752035 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:21.636877060 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:21.641694069 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:27.151730061 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:27.159380913 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:27.159673929 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:31.499730110 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:31.504683018 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:31.713469028 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:31.715310097 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:31.720175028 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:39.999769926 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:40.006592035 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:40.215396881 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:40.217657089 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:40.222466946 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:42.671472073 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:42.676371098 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:42.702828884 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:42.707791090 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:42.884881973 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:42.887449026 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:42.892262936 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:43.008605957 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:43.010205030 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:43.015084982 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:43.562838078 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:43.570066929 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:43.777040958 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:43.779455900 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:43.785077095 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:47.874459028 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:47.880044937 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:48.088581085 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:48.101526022 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:48.106398106 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:52.452687025 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:52.457561970 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:52.666513920 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:52.670399904 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:52.675170898 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:56.421487093 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:56.426410913 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:56.635555029 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:56.637669086 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:56.642884970 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:56.946965933 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:48:57.108675003 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:59.812382936 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:48:59.817167044 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:00.026249886 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:00.030174017 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:00.034991980 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:04.796761036 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:04.805911064 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:04.828120947 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:04.834160089 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:05.010392904 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:05.014087915 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:05.020061970 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:05.132930040 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:05.134931087 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:05.139770985 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:08.765894890 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:08.770703077 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:08.890372992 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:08.895147085 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:08.921375990 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:08.926156044 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:08.980030060 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:08.982208967 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:08.988204002 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:08.999572039 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.004318953 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.015217066 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.019969940 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.093314886 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.098140955 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.121936083 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.135998011 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.183001041 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.183058977 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.187839031 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.218508959 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.223275900 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.243863106 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.249643087 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.299052954 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.364969015 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.373698950 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.378524065 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.381253004 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.386086941 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.486028910 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.494298935 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.499119043 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.607422113 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.613513947 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.618475914 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:09.621171951 CET497064444192.168.2.8176.113.115.225
                  Jan 27, 2025 19:49:09.625983000 CET444449706176.113.115.225192.168.2.8
                  Jan 27, 2025 19:49:19.348105907 CET497064444192.168.2.8176.113.115.225
                  050100s020406080100

                  Click to jump to process

                  050100s0.0010203040MB

                  Click to jump to process

                  • File
                  • Registry
                  • Network

                  Click to dive into process behavior distribution

                  Click to jump to process

                  Target ID:0
                  Start time:13:47:31
                  Start date:27/01/2025
                  Path:C:\Users\user\Desktop\qlGJTKUY7O.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\qlGJTKUY7O.exe"
                  Imagebase:0xab0000
                  File size:242'769 bytes
                  MD5 hash:11438178690245614874F6B764556D70
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1603844841.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2670364525.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Target ID:8
                  Start time:13:49:10
                  Start date:27/01/2025
                  Path:C:\Windows\System32\WerFault.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6200 -s 1528
                  Imagebase:0x7ff7af1a0000
                  File size:570'736 bytes
                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Executed Functions

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: 687a27aab43f921c56c01c5938bd852276e7ec81a4d45f5e78a215f879950e70
                  • Instruction ID: 55ff74488e1eb90a8da9266c70d048ad89a3e8922f761a24404051a3d2959fd6
                  • Opcode Fuzzy Hash: 687a27aab43f921c56c01c5938bd852276e7ec81a4d45f5e78a215f879950e70
                  • Instruction Fuzzy Hash: 9D6260B0B1D91A4BEA95FF7CC595679F2D6EF98300F6105B8D42EC3296DE28E8428740
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51ef8ed6c470c5756b3c53c2071620a758fa3ce57394240296c9b778f7a5d79d
                  • Instruction ID: 5c0990ddc8d18302c59ef157228242a76a7e63db36858af47b648eea40ad65cb
                  • Opcode Fuzzy Hash: 51ef8ed6c470c5756b3c53c2071620a758fa3ce57394240296c9b778f7a5d79d
                  • Instruction Fuzzy Hash: E0F1A27060CA8D8FEBA8EF28DC557E977D1FF54310F1446AEE85DC7291CA3499418B82
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd14a9d7f28e0a3ab102ade7b3690d383dce2df576f7f830d4e4a838e57f9b58
                  • Instruction ID: f5347b637e9b3772240007b02fc613cb99eebf4bee30aae5d3e6621cf40403fb
                  • Opcode Fuzzy Hash: bd14a9d7f28e0a3ab102ade7b3690d383dce2df576f7f830d4e4a838e57f9b58
                  • Instruction Fuzzy Hash: 44E1A3B0A0CA4D8FEBA8EF2CC8557E977D1FB54310F14426EE85DC7291CE7899458B82
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID: d
                  • API String ID: 0-2564639436
                  • Opcode ID: b5493c7187e69b99b91a893e8357c66fd254b8b675d7d3b6e45588c3e731483b
                  • Instruction ID: 857bf08c66bdfe7c56360512f59b1253bf4b9ac2904b89992cdfc861068df3d4
                  • Opcode Fuzzy Hash: b5493c7187e69b99b91a893e8357c66fd254b8b675d7d3b6e45588c3e731483b
                  • Instruction Fuzzy Hash: 3321D1B2D0C29A4FEB00AFB8C9056EDBBE4EF45380F1401BED869D31D2CA2C68458391
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f8d9211734da26eb614bff45d666c57a761000f672b5bf3e718ee4f5640d017
                  • Instruction ID: b29e891ad7e12beb6db6ecbc562f6c411d1785d29e5c445f1341939f275de366
                  • Opcode Fuzzy Hash: 7f8d9211734da26eb614bff45d666c57a761000f672b5bf3e718ee4f5640d017
                  • Instruction Fuzzy Hash: 10D1E3B1A1CA198FDB69FF3CC8986B5F7D5FB58310F5101BDE459C729ACE28A8018781
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3cad2bae6d6432ec5db3157c9d45de8133213e8585cbe1f66b0caa686aa79db3
                  • Instruction ID: 690b27bfe37af607a79894f607bfad8d01d7692eeea3501910d4bb0a8b8010a1
                  • Opcode Fuzzy Hash: 3cad2bae6d6432ec5db3157c9d45de8133213e8585cbe1f66b0caa686aa79db3
                  • Instruction Fuzzy Hash: 99B13CE1B1DA464BEB59AF3C84192B9EBD1FF95350F5801FED469C71C7CD28A8068381
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54f19eff227b7806233da0ee5aedd6693dea6fa3ab275a10bda23febac20c8d8
                  • Instruction ID: c407f96efef21d5c05c3f462708c3321847c36a90359584cb8710f0d035bdbd4
                  • Opcode Fuzzy Hash: 54f19eff227b7806233da0ee5aedd6693dea6fa3ab275a10bda23febac20c8d8
                  • Instruction Fuzzy Hash: A4B1F67060CA4D8FDB69EF28C8557E97BE1EF55310F14426EE85DC7292CE34A9418B82
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 746f33d56060a040fbd004aa1018aaa6013a7a1f93ffa28e5d7e0f7402b0b143
                  • Instruction ID: 0fe4a0d8fe5373c9f762df667e833ca3964045b692a0a36a410419349f4bd042
                  • Opcode Fuzzy Hash: 746f33d56060a040fbd004aa1018aaa6013a7a1f93ffa28e5d7e0f7402b0b143
                  • Instruction Fuzzy Hash: 459189A071AA09CBEA49BB7CD4567B9F2D6FFA8300F6005B9E40DC36D6CD28BD414761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d974418b762658c899a59e0165057bff10b8cc4d5fbd9243b7fc2a079e815a3
                  • Instruction ID: f470a2bc4c06cd56e66a9b99b2bdb85ffb94269d54b5a9d545a8cd39214229ee
                  • Opcode Fuzzy Hash: 3d974418b762658c899a59e0165057bff10b8cc4d5fbd9243b7fc2a079e815a3
                  • Instruction Fuzzy Hash: E39103A2E0EA4A4FEB55FF3CC8452A8F7E5EF54391F5401FAD419C7196DE28A8068381
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 270221b88d456c8dc501b94c0ec4615d3e43f73fd8778a3cf215f098ddaedf67
                  • Instruction ID: f3ffd88b0a78db16078250a3036a5cd4bd9173796ebc63f248b3cf4434890527
                  • Opcode Fuzzy Hash: 270221b88d456c8dc501b94c0ec4615d3e43f73fd8778a3cf215f098ddaedf67
                  • Instruction Fuzzy Hash: 8121F5A2A1C64B5FEB84BF7CC8960EDFB61EF842C0F5000B9C119961C6CD2829428741
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad206384a218bf55c7058ddd983e085e5b1dfa59d2ab973f539679017f4b5892
                  • Instruction ID: 4e63da551d558b9382977bc453aa0b0e709b5d00e4d36f1733e40398ba8ab586
                  • Opcode Fuzzy Hash: ad206384a218bf55c7058ddd983e085e5b1dfa59d2ab973f539679017f4b5892
                  • Instruction Fuzzy Hash: A4518370A08A0D8FDB99EF68D8457EDBBF5FF58310F2041AAD44DD3252CA34A942CB81
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 22e5abb3bdde45239558c98f8504da24f615d685ac35395bc09f609b954559a4
                  • Instruction ID: 9bca6f6477a34756abe16b4fcb3fc16e06b45a44d8c42febf9929f4613fb1c5d
                  • Opcode Fuzzy Hash: 22e5abb3bdde45239558c98f8504da24f615d685ac35395bc09f609b954559a4
                  • Instruction Fuzzy Hash: E45139A1B1DA4A4FEB99BB7CD4591BDBBD5FF98310B4004FDE40EC3286DD28A9018361
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 65c218a833878918b1c507e777189e7f03a0980bea1bd2a6ce07f71226bb0047
                  • Instruction ID: 58d6dd8b80ae4b9de362ee23a779fa70aec976e0bdd02a8841ecd24c866f99a7
                  • Opcode Fuzzy Hash: 65c218a833878918b1c507e777189e7f03a0980bea1bd2a6ce07f71226bb0047
                  • Instruction Fuzzy Hash: 8261F774A0E6864FEB47EF7884516A9BBA1EF5A310F2802FDD069C71D3CE2C6846C751
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aa9c62542c6619489c17b8164ffe9acdad02a36b55032f23fe2f5627c970ae61
                  • Instruction ID: c78a9cc0f4f4015b239fc2d149f0adb5d90a2967724cea4276ea4f7edfbb8098
                  • Opcode Fuzzy Hash: aa9c62542c6619489c17b8164ffe9acdad02a36b55032f23fe2f5627c970ae61
                  • Instruction Fuzzy Hash: FF518EB0A1D9599FEB95EF7CD8556BCB7E2EF89340F1040B9E44DD3292CE28A8418740
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d42310d9773fcbc8666b986bca32ce68b59aab6e12c89dc918e67d179eb8abc6
                  • Instruction ID: 2cdb3a7e3ef8f6ffce8c36e6fe5312c21ae73f523384f047bf2ba33f357ab3ea
                  • Opcode Fuzzy Hash: d42310d9773fcbc8666b986bca32ce68b59aab6e12c89dc918e67d179eb8abc6
                  • Instruction Fuzzy Hash: 53619170908A0C8FDF59EF68D845BE9BBF1FB59310F1082AAD44DD3252DE34A9858F81
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 89e1e2710d271df9788fc06bd8dd3f36739d3f877fbb02e580e6d6a7fb21e829
                  • Instruction ID: 340bdbaa3a4837202347e394e0e3e24de3768706919aebf6fa92b410354ebd49
                  • Opcode Fuzzy Hash: 89e1e2710d271df9788fc06bd8dd3f36739d3f877fbb02e580e6d6a7fb21e829
                  • Instruction Fuzzy Hash: EA51F5B1A4C6484FDB95EF78D859AF9BBE5EF49310F1500BAE44DC72A2CD28AC42C740
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2a7ed1fb746136410a54c5bc13ecaba1c9b18f6a03d68e6107b61ed88c07aa7d
                  • Instruction ID: a0606f24e129dbc38afa7cb5f03f2b5a43a7495c485c113bce36e22fa3d9b63c
                  • Opcode Fuzzy Hash: 2a7ed1fb746136410a54c5bc13ecaba1c9b18f6a03d68e6107b61ed88c07aa7d
                  • Instruction Fuzzy Hash: 46514F70A18A1D8FDB98EF68D8457EDB7F1FF58310F20426AD44DE3256DA34A9428F81
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f1dc2e88ff0d0048b7b23ec24c147ff9c04af71fe2fc0e2d388b5cc9993bdcd
                  • Instruction ID: 7414c4740076e7973387c5661b8e9cc2842b327ad7baef8a2cf59ca09613b80c
                  • Opcode Fuzzy Hash: 8f1dc2e88ff0d0048b7b23ec24c147ff9c04af71fe2fc0e2d388b5cc9993bdcd
                  • Instruction Fuzzy Hash: 43517CB1A0D7894FDB56EF38C8546A5BFE0FF56720B1501FEE0DAC719AC9285842C781
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4eacfa44f287ebcc5f8009d2aef5691d825f7c382cc6c547398fdc518295b3ab
                  • Instruction ID: bfc75ca6bbc1c666929dd53cc2b6f8a8497705ca8933ad3611d6e016972818ef
                  • Opcode Fuzzy Hash: 4eacfa44f287ebcc5f8009d2aef5691d825f7c382cc6c547398fdc518295b3ab
                  • Instruction Fuzzy Hash: EC51A4B4A0DA4D8FDB59EF68D8596B9B7E4FB29311F10016EE009C3692DB35E846CB40
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b41d53f970fe1e31121942b6cb9e40116acd203ddf585125c5d0efddc5997efa
                  • Instruction ID: d64bb461501d2546c250e77d5150745a14ad36e71fc8cae5bde7a0623c854f85
                  • Opcode Fuzzy Hash: b41d53f970fe1e31121942b6cb9e40116acd203ddf585125c5d0efddc5997efa
                  • Instruction Fuzzy Hash: 6941165170DA890FE78AAB7C9859278BBD2DFCA215F0801FFE44DC7293CD189C068351
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 79bf73b271931025be83be7b1642fb7336481f8ede98fe231647c644344e0203
                  • Instruction ID: 5eb0aa26966e806e1839560f84fddb14acda12d12c43b1eaf9cb5584b4145f38
                  • Opcode Fuzzy Hash: 79bf73b271931025be83be7b1642fb7336481f8ede98fe231647c644344e0203
                  • Instruction Fuzzy Hash: 7B4151B1B1890C4FDB95FB7CD859AB9B7E6EF98310F5401B9E40ED3296DE24AC428740
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c0f1c28386ef9479e1d9cf31fb5aadb4e3830c2a07a795cf7da66e6f880cb347
                  • Instruction ID: 317b6e912162d6a2a0fdbb180af892d78c12667fe708d961f4aa9000a18f9fa9
                  • Opcode Fuzzy Hash: c0f1c28386ef9479e1d9cf31fb5aadb4e3830c2a07a795cf7da66e6f880cb347
                  • Instruction Fuzzy Hash: 7E41B0B2B08A495FEF85EF7CC4596BCB7E1EF99340B1400BAD44DD3292DF2898418751
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 161ec5c8f58a398e9ad13813be70db5f6fb419f0cc9018060fb0410106a70664
                  • Instruction ID: 540d5a55e4a7c536c344f7251b1d7b62e53e5d2b8b06efffb454f3436ba109ba
                  • Opcode Fuzzy Hash: 161ec5c8f58a398e9ad13813be70db5f6fb419f0cc9018060fb0410106a70664
                  • Instruction Fuzzy Hash: 5F31C261B1D9490FE799BA3C945A779A6C2EBD8315F1401BEE40EC3297DE68AC468340
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3cbb9592523d18198a8060bc6edad54e8caea3f4e5960b5415f0587971bfe93b
                  • Instruction ID: 05956c157624ab790e888d6ee2910d398332f9fe79b809afd4b07b1eb5d968ed
                  • Opcode Fuzzy Hash: 3cbb9592523d18198a8060bc6edad54e8caea3f4e5960b5415f0587971bfe93b
                  • Instruction Fuzzy Hash: ED310891B19A094FFB45BBBCD81A3BDA7C6FB98311F0401BAE40DC3282DD189D4147A1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a6d4e182ad5063e989bdf38a17446d6f6e4a43a0b9f16be56735653d78de04a
                  • Instruction ID: 1cfda1d2bac4aceb49ad144a758012d91e0cb4f34a3c77306ccc6125c5440879
                  • Opcode Fuzzy Hash: 5a6d4e182ad5063e989bdf38a17446d6f6e4a43a0b9f16be56735653d78de04a
                  • Instruction Fuzzy Hash: 0C41A5A4A1DA4A8FEB46FF78C8556B9FBA1FF94300F5004B9D049D3696CD38A9018B51
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 10547ad7b6697cd7ceee2fbbbc64bd84632e355f556e4c7963a6e9834cbcaee1
                  • Instruction ID: 1a31e027dfffa095f41625c7bc8aca5928c109dbc00a3b84b209c74951226e03
                  • Opcode Fuzzy Hash: 10547ad7b6697cd7ceee2fbbbc64bd84632e355f556e4c7963a6e9834cbcaee1
                  • Instruction Fuzzy Hash: 79310C91B19D094BFB85BBBCD80A3FD66C6FBD8351F10017AE40DC3282DD18AD4147A1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cd1cee64219585c68ff9cd43d735546dd658a435ee2a48888e9eb1ef27523fa2
                  • Instruction ID: a434116a42f4bbdfcd7b41001c29f7290d732184bd7bd9cdb6115c31fbaee10c
                  • Opcode Fuzzy Hash: cd1cee64219585c68ff9cd43d735546dd658a435ee2a48888e9eb1ef27523fa2
                  • Instruction Fuzzy Hash: F931E67060DA899FDB47FF3CC895668BBE0FF56210B1402FAD058C72A2DA28E841C741
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37125de58652fd52e65df6303d7049e2de2d2b19553d960145cdb38a742c8937
                  • Instruction ID: a3efe4dac215f4d3439e82112e986fc8911e8a98165efe90ee5e849e2544917b
                  • Opcode Fuzzy Hash: 37125de58652fd52e65df6303d7049e2de2d2b19553d960145cdb38a742c8937
                  • Instruction Fuzzy Hash: 42318F7040D7488FDB15DFA8D846AAABBF4FB56320F0482AED089C7562D764A406CB61
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c806b3b8387f760bb8de5be999e0adbb8d9ed61c7db6ccf140b6b42f59b3511c
                  • Instruction ID: be92fc621d424197b0ef71730efb218bf9e61ccde86c689ecf151fd4452fb5b3
                  • Opcode Fuzzy Hash: c806b3b8387f760bb8de5be999e0adbb8d9ed61c7db6ccf140b6b42f59b3511c
                  • Instruction Fuzzy Hash: 6621D571B0C9498FDB58EF7CC4856BDB6A1EF48314F5005BEE45ED32DACE2858428781
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 71cc079117c9f297b44ceae6081d2b5df8b09a784e16ed5bf61ed5eff7bd286e
                  • Instruction ID: b746208261563fe2ce48dfd35e4418a98bb926d068868f9a4d9ecc1f4fb8757e
                  • Opcode Fuzzy Hash: 71cc079117c9f297b44ceae6081d2b5df8b09a784e16ed5bf61ed5eff7bd286e
                  • Instruction Fuzzy Hash: 8C2108A1F0E1465BFB51BF3DC5562B8F6A5EF58310F6000FDE01D861C3DE28A8468291
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6537b7b06fb875a855e59cc52a948d692f55f18ead8155e1098e442296ada6b1
                  • Instruction ID: 61e41f04b0cd7274dc3ce57fe2f231117f56e2257c950177d55ca23ec46982a2
                  • Opcode Fuzzy Hash: 6537b7b06fb875a855e59cc52a948d692f55f18ead8155e1098e442296ada6b1
                  • Instruction Fuzzy Hash: A711D64B70E5A24BE602BA6EF8A51E9BB50DFC123231804F7C784CD143D504695F97F2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 508f1fd56cb2bd451cff1dab176d69eb4832241164ca54ddcc618544943b6074
                  • Instruction ID: c303482892505cd687f3a83a8284812cdbf7de2793cbedfde867bb557da8bb55
                  • Opcode Fuzzy Hash: 508f1fd56cb2bd451cff1dab176d69eb4832241164ca54ddcc618544943b6074
                  • Instruction Fuzzy Hash: 89110AD1B1C9460BEB697F3C94162BAA6C6FB98350F5001BDE5AEC71C7CD28AD024282
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: abe8eee53b409b8a49cceaaf0799ea83aec007712539a3c9e072cc3758222a86
                  • Instruction ID: beee390d4ff34d353f1ea0f189666644b041e320e8ced2a7b74bd55617d14c25
                  • Opcode Fuzzy Hash: abe8eee53b409b8a49cceaaf0799ea83aec007712539a3c9e072cc3758222a86
                  • Instruction Fuzzy Hash: 4E21F6A1A0E1464FEB05BF7CC9562B0F7A4EF59360F6801F9D41CCB1C2EA28A40A8790
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4ae10c5b2a1ee965598df98febdba4fd65da7d1021cc8c02d328d8d81cd12c53
                  • Instruction ID: 5af74d50446430c9160ff9d4999b24e59d43cd624a0a0f6e72272c60124f2ca1
                  • Opcode Fuzzy Hash: 4ae10c5b2a1ee965598df98febdba4fd65da7d1021cc8c02d328d8d81cd12c53
                  • Instruction Fuzzy Hash: F421F390B1EA998BEB46BBBCD8167F9B7C5EB55300F6001F9E018C36C7CD18690587A2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3ed97eb496fc98bbc07df9c16d9971122305457996289f41ddcbd364c8fa4e2a
                  • Instruction ID: 2450e521547ac7fc65e9f66e5abb4f8f4f1988bb38170d8df304b2e8854269d0
                  • Opcode Fuzzy Hash: 3ed97eb496fc98bbc07df9c16d9971122305457996289f41ddcbd364c8fa4e2a
                  • Instruction Fuzzy Hash: 9A21E0A0B1E6918FEB46BA7CC8267B8BB95EF55700F2501F9E058C75C7CD18A8018762
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a16077316390ebe3840305799710e8eaaf2bf0c1a1a86d3e147431e7c269a0e8
                  • Instruction ID: 373c5c195817238be8b9e9886c5724c7ec1872c9dbc3fbefe0afd7ec531093ce
                  • Opcode Fuzzy Hash: a16077316390ebe3840305799710e8eaaf2bf0c1a1a86d3e147431e7c269a0e8
                  • Instruction Fuzzy Hash: 0421EB60B4D68A0FEB46AF78CD116FABBF5EF89200F1441FAE499C7193CD2C98468751
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cee45e84d408db375a3dc7df1499914c9ab4c4db5889542c553f2a3ede778717
                  • Instruction ID: 5b20c38e7db096433860c04ab073a921f53817ae858e8ae92d6a2f9068c8a966
                  • Opcode Fuzzy Hash: cee45e84d408db375a3dc7df1499914c9ab4c4db5889542c553f2a3ede778717
                  • Instruction Fuzzy Hash: 8D11B6A0B1DA198BEB45BBBCD8167F9F2C9EB58300F6001B9E01DC36CACD1879118792
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1ace583c85a44ff9e051f5f30d921e1735415515837b9f165846320cba199414
                  • Instruction ID: b409b0f21f9f5a60f5761e08d9dc88da883c9567c3afbf8e31d948b963d85db0
                  • Opcode Fuzzy Hash: 1ace583c85a44ff9e051f5f30d921e1735415515837b9f165846320cba199414
                  • Instruction Fuzzy Hash: 7B1125F190868A4FEB59EF38886A1B8BFD1EB69201B1441BFD099D7296CE3414018301
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 520df6ab9874ee52f0103c0db66bf580324818dd1d26742bd7465c79da9f30b0
                  • Instruction ID: 736f9c39f5a96dea2f53f676ffd25dd20bd43a082fc12e8581a9e98cb16207b8
                  • Opcode Fuzzy Hash: 520df6ab9874ee52f0103c0db66bf580324818dd1d26742bd7465c79da9f30b0
                  • Instruction Fuzzy Hash: EE1104F190C68D8FEB59EF3888691B8BFE0EB79200F6440FFD099D6192DA7405008701
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6f91989df914e80bca392ae275f3d73989f3d1c695021a542cf5598bfda50795
                  • Instruction ID: 70582d9140e804ea83393fe6195ccffe01e969d68d3eb5123b3e601b8072fb91
                  • Opcode Fuzzy Hash: 6f91989df914e80bca392ae275f3d73989f3d1c695021a542cf5598bfda50795
                  • Instruction Fuzzy Hash: 2501ADA2A1CAAD4FDB91FB6C88151BCB7E0FB98310B0541FAE41DD3282DE2899014782
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c952e7106a87bfaeb33c39c7875fb391844e5e4cc0a9f7508725e182bd7d13f7
                  • Instruction ID: bda42a3dc4d4d997f0e73a967dbc97245b7f178b49db885cc732162e368af619
                  • Opcode Fuzzy Hash: c952e7106a87bfaeb33c39c7875fb391844e5e4cc0a9f7508725e182bd7d13f7
                  • Instruction Fuzzy Hash: 5E11E5A1D0D68D4FDB42AB7488561FE7FF1EF55301F4000ABD458C61A3DA2898408785
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fb4860192c89e43e706fcb2707448187453a1d71dab11544497534dadf6f5eba
                  • Instruction ID: 5dbecdde5f15f82fadbdc0f999c2fc852bc088139e88b602a6b176997eb4366f
                  • Opcode Fuzzy Hash: fb4860192c89e43e706fcb2707448187453a1d71dab11544497534dadf6f5eba
                  • Instruction Fuzzy Hash: E3017CE595E2C96EDB136F3848204A6BF78DF53214B5905FBE0E9CB0A3D50C0419C382
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 765b2fc1fe5abaa604d9f67a03cc595a06149e524573e32278558f38e638999f
                  • Instruction ID: a1d268bd94abf6bf77320aef9cd2575638231ef7c046ada393601fed90badb6d
                  • Opcode Fuzzy Hash: 765b2fc1fe5abaa604d9f67a03cc595a06149e524573e32278558f38e638999f
                  • Instruction Fuzzy Hash: 6301A2B1F1EA0786EB48FF3CC9562B8B295EF00291F5006BDD81AC21C7DD29B41742D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 832eb90e605511802130b21adadec0b24ea6c7b47b8afdeb6beb947dd727b95d
                  • Instruction ID: c91dd51e44a157ec79d8401560b09c76eac37937044f8fcbde3d7a30f688ef45
                  • Opcode Fuzzy Hash: 832eb90e605511802130b21adadec0b24ea6c7b47b8afdeb6beb947dd727b95d
                  • Instruction Fuzzy Hash: 10F0F492A0EB910FE792BE3C9855434BFE0DF59640B0904EEE899DA1E3D81C9D448383
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e269e0435bf387de5ac12ff03aafa29db41ef1d91ba6fe51e6db4f5a40cb1065
                  • Instruction ID: b48861a5041c6b90ee96ebe5aef147589cd14cf35381abc406f54130176946a0
                  • Opcode Fuzzy Hash: e269e0435bf387de5ac12ff03aafa29db41ef1d91ba6fe51e6db4f5a40cb1065
                  • Instruction Fuzzy Hash: EC01F2C0F1E2864BFB557F388956278AA85EF58700F6000FDF05A866C3DD5CA80A8241
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 074685ba57819ca8c3168d8cfa37cc684e2d9d23ec92bfc8596f33539fbd68cd
                  • Instruction ID: a617cdcb4505b017e77ebfbefc2da96f3dda088a0b3b9e1e65980197a363f16c
                  • Opcode Fuzzy Hash: 074685ba57819ca8c3168d8cfa37cc684e2d9d23ec92bfc8596f33539fbd68cd
                  • Instruction Fuzzy Hash: BCF0D1B0E0D5065BEB51FF3CC5422B4F3BAEF99320F6006B8E42DC21C1DE38A8568690
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f8351274be1dbec26f6d39037cb7c10ef3609138011a3bd1324ba920caf8ba5
                  • Instruction ID: dc857bd35c3e7e0fd64107369922f6c2171a9351ee7fb29639f6159ea72663bf
                  • Opcode Fuzzy Hash: 7f8351274be1dbec26f6d39037cb7c10ef3609138011a3bd1324ba920caf8ba5
                  • Instruction Fuzzy Hash: 4DE022B690E3898FDF51AE6888110D8BF70EF19200F1102DFF45C4B052D721580C83C2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 06826991786399864a1652b233f212eb18ee1e8d8cc46fd0c12b4cf0afe4c9bd
                  • Instruction ID: 70ae04d803d04f27a49f363630c2fcfa8de1bbf470be115e4ab6ce05eeb53e01
                  • Opcode Fuzzy Hash: 06826991786399864a1652b233f212eb18ee1e8d8cc46fd0c12b4cf0afe4c9bd
                  • Instruction Fuzzy Hash: 50E065A1A1CA1507F784BE3C954A47DB7D1DBA8350F18047DF85ED6299DC2CEA814783
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f90c6abc43b8329dcabbd0477c5a154210c86d8739ddd70407b9f0ea2e44e021
                  • Instruction ID: 42102789d7f0f0bb4df48068d7a2979be1d81f874f5f4f1566d833137d80c09c
                  • Opcode Fuzzy Hash: f90c6abc43b8329dcabbd0477c5a154210c86d8739ddd70407b9f0ea2e44e021
                  • Instruction Fuzzy Hash: DFD02375C5C98C4ADF517F7845010D9FF74FF40200F8015DAF47C45041D760511443C1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f5126a02a73db16502306162ad1732f7eae5236e3751eb3d90fee572b05ed999
                  • Instruction ID: 6cea37b1f6ef8527691fc5004dee0a413d989d7018faa7c8b34e997a4e4d4d5e
                  • Opcode Fuzzy Hash: f5126a02a73db16502306162ad1732f7eae5236e3751eb3d90fee572b05ed999
                  • Instruction Fuzzy Hash: F8D05EE0E0F18275FA623E39C6067FAD9BCCF89390F2000FDF429511C59EA8245842E1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1fcaafd12378e10aa7c6a11188127acb51519f8f49c0b5d12280c64558c7e435
                  • Instruction ID: d065b3229430f195865fe3639ee3327f7e85765532c40a5f4aaa5baaba40671b
                  • Opcode Fuzzy Hash: 1fcaafd12378e10aa7c6a11188127acb51519f8f49c0b5d12280c64558c7e435
                  • Instruction Fuzzy Hash: 8FC0127586894D5A9F517F6495011EAF37CFF00304F911696F43D82040DB24622446C2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 171f5e95479c2d695c9e37bfdb648ea9d0111225c4f9e5625e60cc823d1bfb13
                  • Instruction ID: e0e389e91ef97d4bb258b273b2271ed51dc098c804ca60693194373270f3cb37
                  • Opcode Fuzzy Hash: 171f5e95479c2d695c9e37bfdb648ea9d0111225c4f9e5625e60cc823d1bfb13
                  • Instruction Fuzzy Hash: 80B01280E5F40700AC043E7D4A43164F404FB48250FE101F4E439C0089E84D109C0142

                  Non-executed Functions

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID: N_^$N_^$N_^$N_;
                  • API String ID: 0-2620560867
                  • Opcode ID: 6f20d0afe27e7686c3f6ff03b6c28e1418dfc08f52a0a95ed48a7e6d72b20213
                  • Instruction ID: a97feacad2884af12ef58d0d3b27ab9f30f6f52af8dd9baffc57d6d62b1fa096
                  • Opcode Fuzzy Hash: 6f20d0afe27e7686c3f6ff03b6c28e1418dfc08f52a0a95ed48a7e6d72b20213
                  • Instruction Fuzzy Hash: D62109E3E0EAC20FE756AE3CDD550F8AFA0EF517C5B1900FEC4A98B093ED1824164251
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2672187504.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4ad80000_qlGJTKUY7O.jbxd
                  Similarity
                  • API ID:
                  • String ID: N_^$N_^$N_^$N_;
                  • API String ID: 0-2620560867
                  • Opcode ID: 25bb396bc253a4fc4a1cff08c7c3b6a19b8fc39a2833c070ba5eb568b1615327
                  • Instruction ID: db3c2abfca8aebe5ed5e5a5339d259388bb03d9edd1a9144bc93fafe5a6c8ed9
                  • Opcode Fuzzy Hash: 25bb396bc253a4fc4a1cff08c7c3b6a19b8fc39a2833c070ba5eb568b1615327
                  • Instruction Fuzzy Hash: DC01E9D3D0EEC21FE766AE7CDDA60E4AFA0EF11785B1800FEC4E94B093ED1825154242