Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QLTa31hZsN.exe

Overview

General Information

Sample name:QLTa31hZsN.exe
renamed because original name is a hash value
Original sample name:b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe
Analysis ID:1562320
MD5:daf2c3b134b7eb351027b07f9134093a
SHA1:bef5e2fbbb6409182e19025aa6eef37de9e2d9b5
SHA256:b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6
Tags:exeuser-adrian__luca
Infos:

Detection

RedLine, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QLTa31hZsN.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\QLTa31hZsN.exe" MD5: DAF2C3B134B7EB351027B07F9134093A)
    • XClient.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: 1C5CF825E29B63A62C3C8B1589D51A1E)
    • build.exe (PID: 7592 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 1ED2ECAE05AAA1C505136F5252287CC7)
  • XClient.exe (PID: 8024 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 1C5CF825E29B63A62C3C8B1589D51A1E)
  • XClient.exe (PID: 4084 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 1C5CF825E29B63A62C3C8B1589D51A1E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["212.162.149.53"], "Port": 7071, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: RedLine

{"C2 url": ["212.162.149.53:36014"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x867f:$cnc4: POST / HTTP/1.1
        C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x867f:$cnc4: POST / HTTP/1.1
          C:\Users\user\AppData\Local\Temp\build.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x88ed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x898a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8a9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x847f:$cnc4: POST / HTTP/1.1
              00000000.00000002.1349668045.0000000012329000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                00000003.00000000.1348602915.0000000000092000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    2.0.XClient.exe.600000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      2.0.XClient.exe.600000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x867f:$cnc4: POST / HTTP/1.1
                      0.2.QLTa31hZsN.exe.238e840.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        0.2.QLTa31hZsN.exe.238e840.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x687f:$cnc4: POST / HTTP/1.1
                        0.2.QLTa31hZsN.exe.238e840.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          Click to see the 16 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                          Sigma detected: Startup Folder File Write
                          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:58:59.321930+010020432341A Network Trojan was detected212.162.149.5336014192.168.2.949713TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:58:58.978563+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:04.379285+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:05.196325+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:05.716651+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:06.063790+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:06.442088+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:06.797465+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:07.153033+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:07.504383+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:08.001156+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:08.354122+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:08.735580+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:09.124009+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:09.468617+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:09.818377+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:10.163640+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:10.596211+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:11.082391+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:11.407262+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:12.569166+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:13.039064+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:13.161167+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:14.384459+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:14.739771+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          2024-11-25T13:59:15.132883+010020432311A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:59:04.728231+010020460561A Network Trojan was detected212.162.149.5336014192.168.2.949713TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:58:58.978563+010020460451A Network Trojan was detected192.168.2.949713212.162.149.5336014TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:59:18.181067+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T13:59:30.170067+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T13:59:31.784664+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T13:59:45.405454+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T13:59:59.004250+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:00.181083+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:05.565401+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:06.415695+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:06.617019+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:06.785162+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:07.442618+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:07.643320+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:07.687989+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:07.844151+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:08.007124+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:14.910241+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:18.069961+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:18.270809+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:18.512240+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:18.641861+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:23.863825+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:24.107434+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:29.455925+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:30.156856+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:37.649359+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:44.325273+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:49.670120+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:55.128458+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:55.329673+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:57.478454+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:00.177565+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:05.239256+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:06.221734+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:09.186107+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:10.326225+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:10.527321+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:19.818605+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:26.143883+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:26.344967+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:26.470739+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:27.000198+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:28.108451+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:30.187423+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:37.316718+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:42.725635+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:42.926683+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:44.701272+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:46.536893+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:51.208867+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:57.706534+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:00.003471+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:00.204617+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:00.848894+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:02.083745+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:02.273934+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:04.050782+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:07.645545+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:14.066720+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:17.961886+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:18.158171+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:18.278320+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:18.359262+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:18.441816+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:23.880317+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:28.425648+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:28.633451+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:28.753264+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:28.996131+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:30.182723+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:34.636733+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:39.255164+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:42.317112+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:42.812741+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:44.350178+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:44.551649+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:48.356260+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:49.499308+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:53.707791+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:54.543342+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:54.744106+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:03:00.715622+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:03:00.715722+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:03:00.957275+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:03:03.758650+010028528701Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:59:18.210077+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T13:59:31.786624+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T13:59:45.409004+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T13:59:59.006014+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:05.568226+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:06.449582+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:06.691882+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:06.812857+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:07.688043+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:07.763471+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:07.926209+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:08.046818+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:14.912697+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:18.190610+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:18.311132+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:18.552246+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:18.672349+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:23.865606+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:24.113170+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:29.457832+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:37.652688+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:44.327086+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:49.673380+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:55.133546+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:55.336619+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:00:57.480277+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:05.243305+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:05.442753+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:05.563162+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:06.223615+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:09.187611+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:10.328120+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:10.529147+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:19.820626+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:26.149236+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:26.348892+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:26.475405+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:27.012974+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:28.109895+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:37.342475+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:42.727720+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:42.929001+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:44.707494+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:46.543540+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:51.472602+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:01:57.708657+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:00.076176+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:00.851817+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:02.086562+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:02.277947+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:04.052939+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:07.648980+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:14.068753+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:18.118857+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:18.163186+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:18.335660+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:18.375677+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:18.460335+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:23.881695+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:28.439318+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:28.836211+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:29.047705+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:34.667715+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:39.256745+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:42.323746+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:42.819747+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:44.359760+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:44.553892+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:48.361611+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:49.501187+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:53.713360+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:54.545276+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:02:54.745874+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:03:00.958876+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:03:01.159820+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          2024-11-25T14:03:03.759515+010028529231Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T13:59:30.170067+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:00.181083+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:00:30.156856+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:00.177565+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:01:30.187423+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:00.204617+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:02:30.182723+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:03:00.715622+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          2024-11-25T14:03:00.715722+010028528741Malware Command and Control Activity Detected212.162.149.537071192.168.2.949728TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-25T14:00:29.095222+010028531931Malware Command and Control Activity Detected192.168.2.949728212.162.149.537071TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: QLTa31hZsN.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                          Found malware configuration
                          Source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["212.162.149.53"], "Port": 7071, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                          Source: 0.2.QLTa31hZsN.exe.12374d08.4.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:36014"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for submitted file
                          Source: QLTa31hZsN.exeReversingLabs: Detection: 57%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\build.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: QLTa31hZsN.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: 212.162.149.53
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: 7071
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: <123456789>
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: <Xwormmm>
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: XWorm V5.6
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: USB.exe
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: %AppData%
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpackString decryptor: XClient.exe
                          Source: QLTa31hZsN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: QLTa31hZsN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.9:49713 -> 212.162.149.53:36014
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.9:49713 -> 212.162.149.53:36014
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:36014 -> 192.168.2.9:49713
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:36014 -> 192.168.2.9:49713
                          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49728 -> 212.162.149.53:7071
                          Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 212.162.149.53:7071 -> 192.168.2.9:49728
                          Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49728 -> 212.162.149.53:7071
                          Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 212.162.149.53:7071 -> 192.168.2.9:49728
                          Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49728 -> 212.162.149.53:7071
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 212.162.149.53
                          Source: Malware configuration extractorURLs: 212.162.149.53:36014
                          Connects to many ports of the same IP (likely port scanning)
                          Source: global trafficTCP traffic: 212.162.149.53 ports 7071,0,1,3,4,6,36014
                          Source: global trafficTCP traffic: 192.168.2.9:49713 -> 212.162.149.53:36014
                          Source: Joe Sandbox ViewIP Address: 212.162.149.53 212.162.149.53
                          Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.53
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: XClient.exe, 00000002.00000002.3814842487.0000000002911000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: build.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: build.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: build.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: build.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                          Source: QLTa31hZsN.exe, 00000000.00000002.1349668045.0000000012329000.00000004.00000800.00020000.00000000.sdmp, QLTa31hZsN.exe, 00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmp, QLTa31hZsN.exe, 00000000.00000002.1349668045.0000000012402000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1348602915.0000000000092000.00000002.00000001.01000000.00000007.sdmp, build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.drString found in binary or memory: https://api.ip.sb/ip

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to log keystrokes (.Net Source)
                          Source: XClient.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 2.0.XClient.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.QLTa31hZsN.exe.237a340.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.QLTa31hZsN.exe.237a340.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 2_2_00007FF887D393022_2_00007FF887D39302
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 2_2_00007FF887D30EE92_2_00007FF887D30EE9
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 2_2_00007FF887D385562_2_00007FF887D38556
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeCode function: 2_2_00007FF887D32D582_2_00007FF887D32D58
                          Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 3_2_0092DC743_2_0092DC74
                          Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 3_2_069FA7C83_2_069FA7C8
                          Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 3_2_069F078A3_2_069F078A
                          Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 3_2_069F72DA3_2_069F72DA
                          Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 3_2_069F72E83_2_069F72E8
                          Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 3_2_069F00403_2_069F0040
                          Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 5_2_00007FF887D20EE95_2_00007FF887D20EE9
                          Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 7_2_00007FF887D20EE97_2_00007FF887D20EE9
                          Source: QLTa31hZsN.exe, 00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs QLTa31hZsN.exe
                          Source: QLTa31hZsN.exe, 00000000.00000000.1339867824.00000000000BA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameX-Red.exe4 vs QLTa31hZsN.exe
                          Source: QLTa31hZsN.exe, 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs QLTa31hZsN.exe
                          Source: QLTa31hZsN.exe, 00000000.00000002.1349668045.0000000012402000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs QLTa31hZsN.exe
                          Source: QLTa31hZsN.exe, 00000000.00000002.1349027402.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs QLTa31hZsN.exe
                          Source: QLTa31hZsN.exeBinary or memory string: OriginalFilenameX-Red.exe4 vs QLTa31hZsN.exe
                          Source: QLTa31hZsN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 2.0.XClient.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.QLTa31hZsN.exe.237a340.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.QLTa31hZsN.exe.237a340.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: QLTa31hZsN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: QLTa31hZsN.exe, ctkeyaynkqfwzwfm.csCryptographic APIs: 'CreateDecryptor'
                          Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: XClient.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: XClient.exe.0.dr, Settings.csBase64 encoded string: 'Li3D6xJyfjNirkvTw4IKKITXKoAlILEoQOC6wzYmjhT5RoU8SedBt0R+YyvrNE+F', 'L3Fv/Av3MtMUvAiSppKewrOZ2Mc5Bt23HDFEmqV8HWgje6r9+B44i8rudatctlsm'
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Settings.csBase64 encoded string: 'Li3D6xJyfjNirkvTw4IKKITXKoAlILEoQOC6wzYmjhT5RoU8SedBt0R+YyvrNE+F', 'L3Fv/Av3MtMUvAiSppKewrOZ2Mc5Bt23HDFEmqV8HWgje6r9+B44i8rudatctlsm'
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Settings.csBase64 encoded string: 'Li3D6xJyfjNirkvTw4IKKITXKoAlILEoQOC6wzYmjhT5RoU8SedBt0R+YyvrNE+F', 'L3Fv/Av3MtMUvAiSppKewrOZ2Mc5Bt23HDFEmqV8HWgje6r9+B44i8rudatctlsm'
                          Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/8@0/1
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QLTa31hZsN.exe.logJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeMutant created: NULL
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\9GNxvcpH1EHQrLdj
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeFile created: C:\Users\user\AppData\Local\Temp\XClient.exeJump to behavior
                          Source: QLTa31hZsN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: QLTa31hZsN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: QLTa31hZsN.exeReversingLabs: Detection: 57%
                          Source: unknownProcess created: C:\Users\user\Desktop\QLTa31hZsN.exe "C:\Users\user\Desktop\QLTa31hZsN.exe"
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: QLTa31hZsN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: QLTa31hZsN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          .NET source code contains potential unpacker
                          Source: XClient.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, Messages.cs.Net Code: Memory
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, Messages.cs.Net Code: Memory
                          Source: build.exe.0.drStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                          Source: QLTa31hZsN.exeStatic PE information: section name: .text entropy: 7.997265136130929
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeFile created: C:\Users\user\AppData\Local\Temp\build.exeJump to dropped file
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeFile created: C:\Users\user\AppData\Local\Temp\XClient.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeMemory allocated: 6F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeMemory allocated: 1A320000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeMemory allocated: 1A910000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 900000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 24A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1ACF0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: CD0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1A710000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeWindow / User API: threadDelayed 2566Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeWindow / User API: threadDelayed 7164Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWindow / User API: threadDelayed 2994Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWindow / User API: threadDelayed 1840Jump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 7732Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7988Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 8044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                          Source: build.exe, 00000003.00000002.1542262914.00000000028AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155LR
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                          Source: XClient.exe, 00000002.00000002.3820087274.000000001B8AA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000003.00000002.1541023079.0000000000667000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                          Source: build.exe, 00000003.00000002.1546395563.0000000003806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                          Source: build.exe, 00000003.00000002.1546395563.00000000038FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeQueries volume information: C:\Users\user\Desktop\QLTa31hZsN.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeQueries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\QLTa31hZsN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: XClient.exe, 00000002.00000002.3820087274.000000001B875000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000003.00000002.1557468687.00000000058D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\AppData\Local\Temp\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.123bff50.6.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.12374d08.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.1240b188.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.12374d08.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.1240b188.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.123bff50.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.build.exe.90000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1349668045.0000000012329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000000.1348602915.0000000000092000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1349668045.0000000012402000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: QLTa31hZsN.exe PID: 7448, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: build.exe PID: 7592, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
                          Yara detected XWorm
                          Source: Yara matchFile source: 2.0.XClient.exe.600000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.238e840.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.237a340.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.23845a8.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.237a340.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.3814842487.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: QLTa31hZsN.exe PID: 7448, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7564, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: build.exe PID: 7592, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.123bff50.6.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.12374d08.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.1240b188.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.12374d08.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.1240b188.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.123bff50.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.build.exe.90000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1349668045.0000000012329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000000.1348602915.0000000000092000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1349668045.0000000012402000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: QLTa31hZsN.exe PID: 7448, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: build.exe PID: 7592, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
                          Yara detected XWorm
                          Source: Yara matchFile source: 2.0.XClient.exe.600000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.238e840.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.238e840.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.237a340.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.23845a8.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.237a340.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.QLTa31hZsN.exe.23845a8.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.3814842487.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: QLTa31hZsN.exe PID: 7448, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7564, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		21
                          Registry Run Keys / Startup Folder                          		11
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		231
                          Security Software Discovery                          		Remote Services1
                          Input Capture                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/Job1
                          DLL Side-Loading                          		21
                          Registry Run Keys / Startup Folder                          		1
                          Disable or Modify Tools                          		1
                          Input Capture                          		1
                          Process Discovery                          		Remote Desktop Protocol11
                          Archive Collected Data                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		241
                          Virtualization/Sandbox Evasion                          		Security Account Manager241
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin Shares2
                          Data from Local System                          		1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object Model1
                          Clipboard Data                          		Protocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Deobfuscate/Decode Files or Information                          		LSA Secrets1
                          File and Directory Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                          Obfuscated Files or Information                          		Cached Domain Credentials114
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                          Software Packing                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Timestomp                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          DLL Side-Loading                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          QLTa31hZsN.exe58%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                          QLTa31hZsN.exe100%AviraTR/Dropper.Gen
                          QLTa31hZsN.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\XClient.exe100%AviraTR/Spy.Gen
                          C:\Users\user\AppData\Local\Temp\XClient.exe100%AviraTR/Spy.Gen
                          C:\Users\user\AppData\Local\Temp\build.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\XClient.exe100%Joe Sandbox ML

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          No Antivirus matches

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          s-part-0035.t-0009.t-msedge.net
                          		13.107.246.63
                          		truefalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/02/sc/sctbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id14ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id23ResponseDbuild.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id12Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id2Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id21Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id9build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id8build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id6ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id5build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id4build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id7build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id19Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id13ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id15Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id5ResponseDbuild.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXClient.exe, 00000002.00000002.3814842487.0000000002911000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id6Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://api.ip.sb/ipQLTa31hZsN.exe, 00000000.00000002.1349668045.0000000012329000.00000004.00000800.00020000.00000000.sdmp, QLTa31hZsN.exe, 00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmp, QLTa31hZsN.exe, 00000000.00000002.1349668045.0000000012402000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1348602915.0000000000092000.00000002.00000001.01000000.00000007.sdmp, build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmp, build.exe.0.drfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/scbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id1ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id9Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id20build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id21build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id22build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id23build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id24build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id24Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id1Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedbuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Replaybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegobuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binarybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://tempuri.org/Entity/Id21ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingbuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trustbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/Entity/Id10build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/Entity/Id11build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://tempuri.org/Entity/Id10ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/Entity/Id12build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/Entity/Id16Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id13build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://tempuri.org/Entity/Id14build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://tempuri.org/Entity/Id15build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://tempuri.org/Entity/Id16build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Noncebuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://tempuri.org/Entity/Id17build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://tempuri.org/Entity/Id18build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://tempuri.org/Entity/Id5Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://tempuri.org/Entity/Id19build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsbuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://tempuri.org/Entity/Id15ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://tempuri.org/Entity/Id10Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renewbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://tempuri.org/Entity/Id11ResponseDbuild.exe, 00000003.00000002.1542262914.00000000025E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://tempuri.org/Entity/Id8Responsebuild.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentitybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://tempuri.org/Entity/Id17ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/build.exe, 00000003.00000002.1542262914.00000000024A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://tempuri.org/Entity/Id8ResponseDbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeybuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1build.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackbuild.exe, 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high

                                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                    212.162.149.53
                                                                                                                                                                                                                                    		unknownNetherlands
                                                                                                                                                                                                                                    		64236UNREAL-SERVERSUStrue

                                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                    Analysis ID:1562320
                                                                                                                                                                                                                                    Start date and time:2024-11-25 13:58:01 +01:00
                                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                    Overall analysis duration:0h 8m 44s
                                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                    Number of analysed new started processes analysed:11
                                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                                    Sample name:QLTa31hZsN.exe
                                                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                                                    Original Sample Name:b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe
                                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/8@0/1
                                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 40%
                                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 98%
                                                                                                                                                                                                                                    • Number of executed functions: 38
                                                                                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                    • Execution Graph export aborted for target QLTa31hZsN.exe, PID 7448 because it is empty
                                                                                                                                                                                                                                    • Execution Graph export aborted for target XClient.exe, PID 4084 because it is empty
                                                                                                                                                                                                                                    • Execution Graph export aborted for target XClient.exe, PID 8024 because it is empty
                                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                    • VT rate limit hit for: QLTa31hZsN.exe

                                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                                    07:59:03API Interceptor13490862x Sleep call for process: XClient.exe modified
                                                                                                                                                                                                                                    07:59:10API Interceptor26x Sleep call for process: build.exe modified
                                                                                                                                                                                                                                    12:59:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                    12:59:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                    12:59:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    212.162.149.53New_Order_PO_GM5637H93.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLine, XWormBrowse
                                                                                                                                                                                                                                      AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                        RFQ_PO_UMQ736-ORDER#MATERIALS-LQKP0489.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                          New_Order_568330_Material_Specifications.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWormBrowse
                                                                                                                                                                                                                                            RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                              PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                                PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                                  R7Xrrix6Sx.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                    RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                                                                                                                                                                                                      RFQ_PO-WDX73892970.vbsGet hashmaliciousRedLineBrowse

                                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        s-part-0035.t-0009.t-msedge.netMSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63
                                                                                                                                                                                                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                        • 13.107.246.63

                                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        UNREAL-SERVERSUSmCtN05kxh6.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                                        • 162.251.122.86
                                                                                                                                                                                                                                                        Bank Fund Transfer-589237.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                                        • 212.162.149.226
                                                                                                                                                                                                                                                        Payment Transfer Request Form.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                                        • 212.162.149.226
                                                                                                                                                                                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                                        • 162.251.122.76
                                                                                                                                                                                                                                                        PO - HTS - 0893.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                                                                        • 212.162.149.35
                                                                                                                                                                                                                                                        PO - HTS - 0893.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                                                                        • 212.162.149.35
                                                                                                                                                                                                                                                        PO 331385674200010.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                                                                        • 212.162.149.35
                                                                                                                                                                                                                                                        Vodka.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                        • 212.162.149.35
                                                                                                                                                                                                                                                        O0rhQM49FL.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                                        • 212.162.151.158
                                                                                                                                                                                                                                                        cIs9D0juC8.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                        • 212.162.149.7

                                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QLTa31hZsN.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\QLTa31hZsN.exe
                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):425
                                                                                                                                                                                                                                                        Entropy (8bit):5.357964438493834
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                                                                                                                                                                                                                        MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                                                                                                                                                                                                                        SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                                                                                                                                                                                                                        SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                                                                                                                                                                                                                        SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):654
                                                                                                                                                                                                                                                        Entropy (8bit):5.380476433908377
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\build.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\build.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3094
                                                                                                                                                                                                                                                        Entropy (8bit):5.33145931749415
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                                                                                                                        MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                                                                                                                                        SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                                                                                                                                        SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                                                                                                                                        SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                                        Entropy (8bit):3.7195394315431693
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                                                                                                                                                                                        MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                                                                                                                                                                                        SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                                                                                                                                                                                        SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                                                                                                                                                                                        SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                        Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\XClient.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\QLTa31hZsN.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):41472
                                                                                                                                                                                                                                                        Entropy (8bit):5.615792070447318
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:cSF2nEi97d/xhGrPivCNIxcmwlM72FD93eO+h8JrBD:cSwEYxZM0C9lMiFD93eO+WJBD
                                                                                                                                                                                                                                                        MD5:1C5CF825E29B63A62C3C8B1589D51A1E
                                                                                                                                                                                                                                                        SHA1:EA4F1DCEEEEA35B6BD17F4040511BBD0341246A8
                                                                                                                                                                                                                                                        SHA-256:D868406F1FDC6A5C15A70F03F6279FB8A3FE190EA5A4911BF6839FC483C753B0
                                                                                                                                                                                                                                                        SHA-512:C780AFF70B930EA221FFD96081C02116F76D2C7B20590FFF6AB04038E2AEF50AD57EB8F28A67C4DFDB6A00E3FE393E1238D448C3F346585242EE18D180203FD2
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-%g............................~.... ........@.. ....................................@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........[...[............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\build.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\QLTa31hZsN.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):307712
                                                                                                                                                                                                                                                        Entropy (8bit):5.081333085654021
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:GcZqf7D34xp/0+mAykyoORQYg/xB1fA0PuTVAtkxzw3R4eqiOL2bBOA:GcZqf7DIjnmWhB1fA0GTV8kyYL
                                                                                                                                                                                                                                                        MD5:1ED2ECAE05AAA1C505136F5252287CC7
                                                                                                                                                                                                                                                        SHA1:2C73C09437C4C1D5E90013A6CA7A65AC0A5FADC5
                                                                                                                                                                                                                                                        SHA-256:D771F70BA342E5D4CD7F129A4A2B4A6C6C7293233135F266DB33F356986A70F9
                                                                                                                                                                                                                                                        SHA-512:CA82139310EA62EC8703F6FCB19D843644A5CE40323E8F7857C9FD3173BB0796EB20F9002209B9FCBFA7CE9858FE3B932E070F8449BC2736B6712D39515D9219
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................@...K.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ... ...........(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Nov 25 11:58:58 2024, mtime=Mon Nov 25 11:58:58 2024, atime=Mon Nov 25 11:58:58 2024, length=41472, window=hide
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):763
                                                                                                                                                                                                                                                        Entropy (8bit):5.040285386592612
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:8Ux1nC24o1Yg4tChbyedY//bGWHBSLh48H11jAZqwNHkWOyumuFmV:8UURFvZ+S01BAZqwCXyPKm
                                                                                                                                                                                                                                                        MD5:097B9DF3E07C0BB08E5C59F392F08A0D
                                                                                                                                                                                                                                                        SHA1:30AEC598054C2C5295E841D97C2C661151EA031E
                                                                                                                                                                                                                                                        SHA-256:59135A003A5A5F9949271438C3666FC915FD8381287543B7C608A967CB338A28
                                                                                                                                                                                                                                                        SHA-512:B1C1CD5CC2713C669D9D5E4F61978D18EDECE08F624259F0C500E52BCCA569991FC74A91F8189AD49DCB064271BA8601072FC47BCBAE87E76A42CCB2D9445EFB
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:L..................F.... ...}...9?..}...9?..}...9?..........................v.:..DG..Yr?.D..U..k0.&...&.......bBDj.......9?...} .9?......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGyYZg..........................=...A.p.p.D.a.t.a...B.V.1.....yYXg..Roaming.@......EWsGyYXg..............................R.o.a.m.i.n.g.....b.2.....yY`g .XClient.exe.H......yY`gyY`g.............................X.C.l.i.e.n.t...e.x.e.......X...............-.......W...........p8H......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......942247...........hT..CrF.f4... .|.E._c...,...E...hT..CrF.f4... .|.E._c...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\XClient.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):41472
                                                                                                                                                                                                                                                        Entropy (8bit):5.615792070447318
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:cSF2nEi97d/xhGrPivCNIxcmwlM72FD93eO+h8JrBD:cSwEYxZM0C9lMiFD93eO+WJBD
                                                                                                                                                                                                                                                        MD5:1C5CF825E29B63A62C3C8B1589D51A1E
                                                                                                                                                                                                                                                        SHA1:EA4F1DCEEEEA35B6BD17F4040511BBD0341246A8
                                                                                                                                                                                                                                                        SHA-256:D868406F1FDC6A5C15A70F03F6279FB8A3FE190EA5A4911BF6839FC483C753B0
                                                                                                                                                                                                                                                        SHA-512:C780AFF70B930EA221FFD96081C02116F76D2C7B20590FFF6AB04038E2AEF50AD57EB8F28A67C4DFDB6A00E3FE393E1238D448C3F346585242EE18D180203FD2
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-%g............................~.... ........@.. ....................................@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........[...[............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Entropy (8bit):7.991858921534075
                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                                        File name:QLTa31hZsN.exe
                                                                                                                                                                                                                                                        File size:355'840 bytes
                                                                                                                                                                                                                                                        MD5:daf2c3b134b7eb351027b07f9134093a
                                                                                                                                                                                                                                                        SHA1:bef5e2fbbb6409182e19025aa6eef37de9e2d9b5
                                                                                                                                                                                                                                                        SHA256:b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6
                                                                                                                                                                                                                                                        SHA512:1041b5b3dcd1463a286dc9dada110f26dffc6ff8a8791527488e4527f09e13d82da79c9cab61aabf0e87cf04840b1ab5a839c0a427d39c1ba33f543c013e10d5
                                                                                                                                                                                                                                                        SSDEEP:6144:irT55Efr24puFmFySo/NJrMyzqPOEK6l6wQVaIucpahQMqgCNz1ZB3WpWIUAHcpv:m5Cfr2LQyh/rLcdQVhucjM1CDQQPpNGH
                                                                                                                                                                                                                                                        TLSH:02742316EAD8D013F70F677A94F351D482B1B3EFE0C722597AC11B9415636A4C3B392A
                                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:9%g.................d............... ........@.. ....................................@................................

                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Entrypoint:0x4583ee
                                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                        Time Stamp:0x6725393A [Fri Nov 1 20:25:30 2024 UTC]
                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x583980x53.text
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x588.rsrc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000xc.reloc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                        .text0x20000x563f40x5640065824c3d1fdfe951ae2ea05a55d35b2cFalse0.9970561594202898data7.997265136130929IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .rsrc0x5a0000x5880x600f0d9611517163de4e5499436ad3b2fc6False0.4075520833333333data4.2615347015084915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .reloc0x5c0000xc0x2000c18f58ec93ad7a1734ef7b014e8d073False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                        RT_VERSION0x5a0a00x23cdata0.47202797202797203
                                                                                                                                                                                                                                                        RT_MANIFEST0x5a2e00x2a1XML 1.0 document, ASCII text0.4739970282317979

                                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                        2024-11-25T13:58:58.978563+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:58:58.978563+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:58:59.321930+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1212.162.149.5336014192.168.2.949713TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:04.379285+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:04.728231+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1212.162.149.5336014192.168.2.949713TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:05.196325+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:05.716651+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:06.063790+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:06.442088+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:06.797465+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:07.153033+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:07.504383+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:08.001156+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:08.354122+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:08.735580+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:09.124009+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:09.468617+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:09.818377+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:10.163640+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:10.596211+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:11.082391+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:11.407262+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:12.569166+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:13.039064+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:13.161167+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:14.384459+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:14.739771+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:15.132883+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949713212.162.149.5336014TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:17.818686+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:18.181067+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:18.210077+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:30.170067+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:30.170067+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:31.784664+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:31.786624+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:45.405454+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:45.409004+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:59.004250+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T13:59:59.006014+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:00.181083+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:00.181083+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:05.565401+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:05.568226+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:06.415695+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:06.449582+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:06.617019+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:06.691882+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:06.785162+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:06.812857+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.442618+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.643320+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.687989+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.688043+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.763471+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.844151+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:07.926209+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:08.007124+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:08.046818+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:14.910241+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:14.912697+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.069961+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.190610+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.270809+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.311132+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.512240+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.552246+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.641861+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:18.672349+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:23.863825+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:23.865606+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:24.107434+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:24.113170+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:29.095222+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:29.455925+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:29.457832+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:30.156856+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:30.156856+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:37.649359+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:37.652688+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:44.325273+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:44.327086+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:49.670120+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:49.673380+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:55.128458+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:55.133546+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:55.329673+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:55.336619+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:57.478454+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:00:57.480277+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:00.177565+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:00.177565+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:05.239256+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:05.243305+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:05.442753+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:05.563162+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:06.221734+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:06.223615+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:09.186107+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:09.187611+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:10.326225+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:10.328120+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:10.527321+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:10.529147+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:19.818605+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:19.820626+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:26.143883+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:26.149236+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:26.344967+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:26.348892+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:26.470739+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:26.475405+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:27.000198+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:27.012974+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:28.108451+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:28.109895+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:30.187423+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:30.187423+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:37.316718+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:37.342475+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:42.725635+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:42.727720+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:42.926683+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:42.929001+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:44.701272+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:44.707494+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:46.536893+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:46.543540+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:51.208867+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:51.472602+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:57.706534+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:01:57.708657+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:00.003471+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:00.076176+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:00.204617+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:00.204617+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:00.848894+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:00.851817+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:02.083745+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:02.086562+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:02.273934+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:02.277947+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:04.050782+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:04.052939+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:07.645545+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:07.648980+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:14.066720+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:14.068753+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:17.961886+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.118857+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.158171+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.163186+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.278320+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.335660+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.359262+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.375677+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.441816+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:18.460335+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:23.880317+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:23.881695+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:28.425648+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:28.439318+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:28.633451+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:28.753264+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:28.836211+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:28.996131+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:29.047705+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:30.182723+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:30.182723+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:34.636733+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:34.667715+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:39.255164+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:39.256745+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:42.317112+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:42.323746+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:42.812741+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:42.819747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:44.350178+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:44.359760+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:44.551649+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:44.553892+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:48.356260+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:48.361611+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:49.499308+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:49.501187+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:53.707791+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:53.713360+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:54.543342+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:54.545276+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:54.744106+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:02:54.745874+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:00.715622+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:00.715622+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:00.715722+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:00.715722+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:00.957275+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:00.958876+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:01.159820+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:03.758650+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1212.162.149.537071192.168.2.949728TCP
                                                                                                                                                                                                                                                        2024-11-25T14:03:03.759515+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949728212.162.149.537071TCP

                                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:57.660892963 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:57.780981064 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:57.781105995 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:57.792699099 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:57.912764072 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:58.932248116 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:58.978563070 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:59.098596096 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:59.321929932 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:59.375519037 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:03.939598083 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.059906960 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.059981108 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.206864119 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.331433058 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.379285097 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.499268055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728040934 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728106976 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728144884 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728179932 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728188038 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728230953 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.728307009 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:04.789897919 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:05.196325064 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:05.316732883 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:05.541532993 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:05.594270945 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:05.716650963 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:05.836692095 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.059149981 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.063790083 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.190730095 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.414695024 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.442087889 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.562119961 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.787041903 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.797465086 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:06.917773962 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.143271923 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.153033018 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.274357080 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.500344038 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.504383087 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.624553919 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.850070953 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:07.891177893 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.001156092 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.121088982 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.345040083 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.354121923 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479159117 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479176998 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479199886 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479209900 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479294062 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479302883 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479381084 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.479418039 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.731220007 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.735579967 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:08.855726004 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.098232985 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.124008894 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.244410038 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.466723919 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.468616962 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.588661909 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.814728975 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.818377018 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:09.938744068 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.162597895 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.163640022 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.283708096 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.506900072 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.582736015 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.596210957 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716464043 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716480017 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716490030 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716499090 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716516972 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716526031 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716646910 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716655970 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.716664076 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.717819929 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.717829943 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.718003988 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.718014002 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.718023062 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.718031883 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.718199015 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:10.718208075 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:11.025855064 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:11.082391024 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:11.407262087 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:11.527234077 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:11.750232935 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:11.797461987 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:12.569165945 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:12.689241886 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:12.913722992 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:12.969510078 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.039063931 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.039129972 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161021948 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161047935 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161164045 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161166906 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161175013 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161241055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161247969 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161273003 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161309004 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161341906 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161355019 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161395073 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161453962 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161456108 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161499023 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161514997 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161545992 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161808968 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161818981 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161829948 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161838055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161847115 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161856890 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161927938 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161928892 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161964893 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161977053 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.161978960 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162013054 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162101030 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162110090 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162147999 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162192106 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162203074 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162215948 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162280083 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162317038 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162372112 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162374020 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162424088 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162471056 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162477016 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162507057 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162601948 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162602901 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162611961 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162631989 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162659883 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.162683964 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281414032 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281440973 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281461954 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281493902 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281537056 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281603098 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281625986 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281794071 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281814098 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.281949997 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282028913 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282068968 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282119036 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282155991 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282165051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282237053 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282260895 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282327890 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282358885 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282470942 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282480955 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282500029 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282537937 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282552958 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282579899 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282632113 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282651901 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282706022 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282710075 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282720089 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282762051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282771111 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282824039 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282851934 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282860994 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282931089 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.282939911 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283042908 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283056021 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283098936 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283153057 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283225060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283232927 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283324957 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283333063 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283340931 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283397913 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283406973 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283493042 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283503056 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283514977 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283525944 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283612013 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283622980 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283721924 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283731937 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283772945 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283781052 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283878088 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283888102 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283953905 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.283962011 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284049034 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284058094 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284137964 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284146070 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284223080 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284233093 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284341097 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.284373045 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.401571989 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.401586056 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.401619911 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.401679993 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.401766062 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.401828051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402107954 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402183056 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402559996 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402571917 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402657032 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402698040 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402975082 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.402987003 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403083086 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403130054 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403254032 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403264999 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403383970 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403393984 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403460979 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403511047 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403695107 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403703928 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403826952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403836012 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403950930 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.403959990 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404052973 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404062986 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404098988 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404149055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404234886 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404311895 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404320955 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404371977 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404453993 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404484034 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404573917 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404587030 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404665947 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404674053 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404764891 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404835939 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404918909 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.404937029 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405069113 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405077934 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405154943 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405174017 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405282974 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405313015 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405427933 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405436993 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405533075 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405543089 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405637026 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405651093 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405792952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405802011 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405927896 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.405982018 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.406280994 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.406347036 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522300959 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522339106 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522372961 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522435904 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522471905 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522572994 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522582054 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522665977 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522706985 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522788048 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522805929 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522845030 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522886038 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522965908 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.522986889 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523071051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523088932 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523160934 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523195028 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523350000 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523359060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523422003 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523442030 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523483038 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523529053 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523595095 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523606062 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523679972 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523753881 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523763895 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523773909 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523866892 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523875952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523910046 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.523976088 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524019957 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524061918 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524153948 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524163008 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524226904 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524245024 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524398088 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524406910 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524434090 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524513006 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524575949 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524585962 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524620056 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524630070 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524733067 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524748087 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524823904 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524833918 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.524868011 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.526755095 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.526766062 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.526968002 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527021885 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527029991 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527039051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527046919 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527067900 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527076006 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527160883 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527168989 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527266979 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527276039 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527349949 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527358055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527457952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527467012 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527502060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527580976 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527590990 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527697086 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527707100 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527807951 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527817011 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527901888 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527913094 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.527976036 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528023005 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528105021 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528112888 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528173923 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528228045 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528301001 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528351068 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528434992 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528477907 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528517962 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528563023 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528625965 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528680086 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528758049 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528778076 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528848886 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528867006 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528959036 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.528976917 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529072046 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529081106 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529155016 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529164076 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529226065 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529270887 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529356003 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.529386044 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.586117983 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.586195946 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.586195946 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.586253881 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706505060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706593990 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706713915 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706734896 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706849098 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706859112 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706876993 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706881046 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706969976 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.706979990 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707042933 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707052946 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707076073 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707087994 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707195044 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707204103 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707232952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707264900 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707365036 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707375050 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707432985 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707544088 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707636118 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707645893 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707689047 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707700968 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707818985 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707828045 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707849026 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707858086 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707916975 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.707926989 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708003044 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708013058 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708029985 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708039045 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708082914 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708154917 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708200932 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708210945 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708286047 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708408117 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708417892 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708425999 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708451986 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708465099 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708548069 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708559036 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708609104 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708620071 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708707094 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708717108 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708792925 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708812952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708823919 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708895922 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.708905935 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709013939 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709022999 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709062099 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709142923 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709151983 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709161997 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709275007 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709284067 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709363937 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709414005 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709558010 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709568024 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709650040 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709702969 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709713936 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709745884 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709876060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709884882 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.709949017 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710052013 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710061073 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710100889 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710110903 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710119009 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710185051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710194111 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710201979 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710211039 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710302114 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710311890 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710330009 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710340023 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710423946 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710433006 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710470915 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710479975 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710534096 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710542917 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710591078 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710642099 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710728884 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710738897 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710799932 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710808992 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710918903 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.710939884 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.711029053 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.711154938 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.711164951 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.711184025 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.711193085 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.712235928 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.712323904 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.712323904 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.712372065 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832484007 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832500935 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832604885 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832614899 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832669020 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832679987 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832700968 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832825899 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832834959 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.832926035 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833076954 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833087921 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833173037 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833182096 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833231926 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833282948 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833301067 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833308935 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833376884 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833421946 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833532095 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833595037 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833602905 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833611012 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833770037 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833781958 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833878994 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833888054 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833941936 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.833961010 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834178925 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834188938 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834275961 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834285021 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834297895 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834383965 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834393978 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834465981 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834475994 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834484100 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834634066 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834644079 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834661007 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834670067 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834712982 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834768057 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834852934 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834861994 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834944010 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.834953070 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835124969 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835135937 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835299969 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835354090 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835362911 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835406065 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835445881 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835480928 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835541964 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835685968 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835695028 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835812092 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835820913 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835858107 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835866928 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835911036 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835920095 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835966110 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.835974932 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836062908 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836071968 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836126089 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836225033 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836232901 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836241007 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836365938 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836375952 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836389065 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836397886 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836483002 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836493969 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836503029 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836621046 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836631060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836638927 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836647034 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836656094 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836745024 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836754084 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836761951 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836771011 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836873055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.836922884 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837002993 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837014914 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837095022 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837208033 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837228060 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837235928 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837322950 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837332010 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837414026 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837423086 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837433100 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837485075 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837503910 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837587118 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.837594986 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.838206053 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.838291883 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.838291883 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.838331938 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958390951 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958408117 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958420038 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958592892 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958602905 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958704948 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.958779097 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959048986 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959057093 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959213972 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959223032 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959337950 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959429979 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959539890 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959549904 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959625959 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959697962 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959836006 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.959845066 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960067987 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960140944 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960293055 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960303068 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960417986 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960561991 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960604906 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960679054 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960695028 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960840940 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.960980892 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961050987 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961143017 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961224079 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961374998 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961417913 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961436033 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.961555958 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.962066889 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.962074995 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:13.962512016 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.081666946 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.081764936 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.081800938 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.081969023 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.082017899 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.082138062 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.082206011 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.383851051 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.384459019 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.504952908 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.738677979 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.739770889 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:14.860058069 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:15.098031998 CET3601449713212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:15.132883072 CET4971336014192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:17.818686008 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:17.938580990 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:18.181066990 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:18.210077047 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:18.330185890 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:30.170067072 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:30.219460011 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:31.423393965 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:31.544006109 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:31.784663916 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:31.786623955 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:31.906932116 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:45.032485962 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:45.152756929 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:45.405453920 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:45.409003973 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:45.529673100 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:58.642170906 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:58.762718916 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:59.004250050 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:59.006014109 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 13:59:59.126069069 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:00.181082964 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:00.235263109 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:05.204369068 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:05.324399948 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:05.565401077 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:05.568226099 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:05.688195944 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.048119068 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.168298960 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.168349028 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.289886951 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.329297066 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.415694952 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.449501038 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.449582100 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.574157953 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.617018938 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.657133102 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.691881895 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.785161972 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.811907053 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.812856913 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:06.932907104 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.079360008 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.199771881 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.199830055 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.321446896 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.321679115 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.441752911 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.441840887 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.442617893 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.485285997 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.605619907 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.605679035 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.643320084 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.687988997 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.688043118 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.763396025 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.763470888 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.844151020 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.844218969 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.926141977 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.926208973 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.927187920 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.964291096 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:07.964344025 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:08.007123947 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:08.046552896 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:08.046818018 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:08.084485054 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:08.166870117 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:14.548319101 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:14.668436050 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:14.910240889 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:14.912697077 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:15.033687115 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:17.704771042 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:17.829339027 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:17.829401016 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:17.950340986 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:17.950406075 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.069961071 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.070379972 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.070559978 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.190520048 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.190609932 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.270808935 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.310965061 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.311131954 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.391833067 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.431998014 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.432101965 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.512239933 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.552123070 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.552246094 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.641860962 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.672231913 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.672348976 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:18.792496920 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.501382113 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.621658087 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.621726990 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.743366003 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.863825083 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.865606070 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:23.985688925 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:24.107434034 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:24.113169909 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:24.233169079 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:29.095221996 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:29.215713978 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:29.455924988 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:29.457832098 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:29.578646898 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:30.156856060 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:30.391664982 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:37.282597065 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:37.403445005 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:37.649358988 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:37.652688026 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:37.778047085 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:43.954583883 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:44.074915886 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:44.325273037 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:44.327085972 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:44.447642088 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:49.298476934 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:49.420195103 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:49.670120001 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:49.673379898 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:49.793972969 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:54.767168999 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:54.887233019 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:54.887293100 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.009546041 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.128458023 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.133546114 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.253889084 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.329673052 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.336618900 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:55.456768036 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:56.782871008 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:57.191279888 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:57.237385035 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:57.311480999 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:57.478454113 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:57.480277061 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:00:57.600243092 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:00.177565098 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:00.304718971 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:04.876493931 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:04.998287916 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:04.998435020 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.118374109 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.239255905 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.243304968 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.364641905 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.440388918 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.442753077 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.562942028 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.563162088 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.683332920 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.815301895 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:05.939436913 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:06.221734047 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:06.223614931 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:06.343738079 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:08.813961983 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:08.934422016 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:09.186106920 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:09.187611103 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:09.307665110 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:09.954962015 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.077357054 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.077472925 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.197547913 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.326225042 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.328119993 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.449168921 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.527321100 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.529146910 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:10.649724007 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:19.455015898 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:19.575158119 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:19.818604946 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:19.820626020 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:19.940674067 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:25.782937050 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:25.902997971 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:25.903055906 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.023088932 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.143882990 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.149235964 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.269500971 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.344966888 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.348891973 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.468916893 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.470738888 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.475404978 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.638537884 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.638797045 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:26.758903980 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:27.000197887 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:27.012974024 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:27.133138895 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:27.744580030 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:27.865509033 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:28.108450890 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:28.109894991 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:28.230115891 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:30.187422991 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:30.395432949 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:36.955486059 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:37.075661898 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:37.316718102 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:37.342474937 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:37.462889910 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.363480091 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.484239101 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.534502029 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.656050920 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.725635052 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.727720022 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.851428032 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.926682949 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:42.929001093 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:43.050812960 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:44.331489086 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:44.454998970 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:44.701272011 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:44.707494020 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:44.832850933 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:46.173863888 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:46.294239044 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:46.536892891 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:46.543540001 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:46.663662910 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:50.847520113 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:50.967542887 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:51.208867073 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:51.392107964 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:51.472601891 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:51.593169928 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:57.345639944 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:57.466367960 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:57.706533909 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:57.708657026 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:57.828974009 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:59.642792940 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:01:59.762789011 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.003470898 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.048255920 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.076175928 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.196388006 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.204617023 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.251554966 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.486287117 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.646667957 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.848893881 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.851816893 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:00.972745895 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:01.705979109 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:01.832312107 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:01.832370996 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:01.952449083 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:01.952502966 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.072654963 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.083745003 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.086561918 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.251142025 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.273933887 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.277946949 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.284717083 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.291584969 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.398243904 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.406618118 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.408657074 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.454881907 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.570641041 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.571038008 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:02.690927029 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:03.689610958 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:03.809612989 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:04.050781965 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:04.052938938 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:04.174467087 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:07.283936977 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:07.404083967 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:07.645545006 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:07.648979902 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:07.769798994 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:13.705162048 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:13.825386047 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:14.066720009 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:14.068753004 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:14.189120054 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.596052885 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.716123104 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.716182947 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.836621046 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.836688042 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.956681967 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.956733942 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:17.961885929 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.030930042 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.118798018 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.118856907 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.158170938 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.163130045 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.163186073 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.238965034 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.247652054 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.278320074 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.330708027 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.330754042 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.335659981 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.359261990 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.367710114 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.375677109 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.441816092 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.457161903 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.460335016 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.495731115 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:18.580526114 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:23.517647982 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:23.637686014 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:23.880316973 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:23.881695032 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:24.003258944 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.064579010 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.184674978 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.184730053 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.305871010 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.311709881 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.425647974 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.431695938 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.431790113 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.439317942 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.552002907 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.559354067 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.627727032 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.633450985 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.635128021 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.635381937 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.751286030 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.751813889 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.753263950 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.799701929 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.836067915 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.836210966 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.915807962 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.919981956 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.958460093 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:28.996130943 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:29.041306019 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:29.047704935 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:29.167754889 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:30.182723045 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:30.236092091 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:33.580331087 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:33.892371893 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.204919100 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.395817995 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.395837069 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.395848989 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.636733055 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.667715073 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:34.790040970 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:38.892657995 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:39.013030052 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:39.255163908 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:39.256745100 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:39.376727104 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:41.955149889 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.076637983 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.317111969 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.323745966 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.447348118 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.451761961 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.571789980 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.812741041 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.819746971 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:42.940618992 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:43.986622095 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.107340097 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.107424974 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.227689028 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.350178003 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.359760046 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.480138063 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.551649094 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.553891897 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:44.674350023 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:47.986542940 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:48.106592894 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:48.356260061 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:48.361610889 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:48.481736898 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:49.035801888 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:49.156158924 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:49.499308109 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:49.501187086 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:49.621761084 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:53.283797026 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:53.406008959 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:53.707791090 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:53.713360071 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:53.842219114 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.127129078 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.303752899 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.307869911 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.427781105 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.543342113 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.545275927 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.668236971 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.744106054 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.745873928 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:02:54.865994930 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.080322981 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.564055920 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.715621948 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.715692997 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.715722084 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.715759039 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.715825081 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.715835094 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.836828947 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.957274914 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:00.958875895 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:01.080123901 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:01.158174992 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:01.159820080 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:01.281116962 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:01.281168938 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:01.402976990 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:03.395843983 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:03.516243935 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:03.758650064 CET707149728212.162.149.53192.168.2.9
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:03.759515047 CET497287071192.168.2.9212.162.149.53
                                                                                                                                                                                                                                                        Nov 25, 2024 14:03:03.879606009 CET707149728212.162.149.53192.168.2.9

                                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:52.342828035 CET1.1.1.1192.168.2.90xeb17No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Nov 25, 2024 13:58:52.342828035 CET1.1.1.1192.168.2.90xeb17No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                        Start time:07:58:53
                                                                                                                                                                                                                                                        Start date:25/11/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\QLTa31hZsN.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\QLTa31hZsN.exe"
                                                                                                                                                                                                                                                        Imagebase:0x60000
                                                                                                                                                                                                                                                        File size:355'840 bytes
                                                                                                                                                                                                                                                        MD5 hash:DAF2C3B134B7EB351027B07F9134093A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1349668045.0000000012329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1349668045.00000000123B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1349668045.0000000012402000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1349573008.0000000002321000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                        Start time:07:58:54
                                                                                                                                                                                                                                                        Start date:25/11/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                        Imagebase:0x600000
                                                                                                                                                                                                                                                        File size:41'472 bytes
                                                                                                                                                                                                                                                        MD5 hash:1C5CF825E29B63A62C3C8B1589D51A1E
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1347511196.0000000000602000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.3814842487.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                                        Start time:07:58:54
                                                                                                                                                                                                                                                        Start date:25/11/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\build.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\build.exe"
                                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                                        File size:307'712 bytes
                                                                                                                                                                                                                                                        MD5 hash:1ED2ECAE05AAA1C505136F5252287CC7
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.1348602915.0000000000092000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1542262914.0000000002536000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                                        Start time:07:59:11
                                                                                                                                                                                                                                                        Start date:25/11/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                                                                                                                                                                                                        Imagebase:0x9f0000
                                                                                                                                                                                                                                                        File size:41'472 bytes
                                                                                                                                                                                                                                                        MD5 hash:1C5CF825E29B63A62C3C8B1589D51A1E
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                                        Start time:07:59:19
                                                                                                                                                                                                                                                        Start date:25/11/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                                                        File size:41'472 bytes
                                                                                                                                                                                                                                                        MD5 hash:1C5CF825E29B63A62C3C8B1589D51A1E
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF887D10573 Relevance: 3.2, Strings: 2, Instructions: 693COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1351417344.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff887d10000_QLTa31hZsN.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 8[L$r6B
                                                                                                                                                                                                                                                          • API String ID: 0-3374649634
                                                                                                                                                                                                                                                          • Opcode ID: 72247468a27b0163b15d866155aa921fb1f2a9999d3effc4dfcab58aebad9b57
                                                                                                                                                                                                                                                          • Instruction ID: 42bf39e81cc4f08170c3d2200dc2d29e71514373819dd93a789af351d43dacfb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72247468a27b0163b15d866155aa921fb1f2a9999d3effc4dfcab58aebad9b57
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8B1C320E5CA4A4FF754B76894657B8A7E2FF99380F5406BAD01EC72CBDD18AC42C361
                                                                                                                                                                                                                                                          Function 00007FF887D10B6D Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1351417344.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff887d10000_QLTa31hZsN.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: (LH
                                                                                                                                                                                                                                                          • API String ID: 0-3987540409
                                                                                                                                                                                                                                                          • Opcode ID: 640bfe050a0e0ace9378342f252dfd749fc00003886e36aa22567eb8c55937d5
                                                                                                                                                                                                                                                          • Instruction ID: f5fa35bf3d8a27cbffc5368a2fd5d76a9d3f5634d9af6fc03c2f155febdba1bd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 640bfe050a0e0ace9378342f252dfd749fc00003886e36aa22567eb8c55937d5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01518131B489494FEB94FB6CD459BAD77E2FF99351F040179E04EC3296CE28AC428751
                                                                                                                                                                                                                                                          Function 00007FF887D10480 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1351417344.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff887d10000_QLTa31hZsN.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: (LH
                                                                                                                                                                                                                                                          • API String ID: 0-3987540409
                                                                                                                                                                                                                                                          • Opcode ID: 4d52bb3de4c6a1e3308c7a6a4256ab6a5da211006f6ddb062e0d8d1a8fd10895
                                                                                                                                                                                                                                                          • Instruction ID: 2b0d701af43322d1bbd9b2d563ba4aae8137ec5a6351990ed6b80aa0d16303cb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d52bb3de4c6a1e3308c7a6a4256ab6a5da211006f6ddb062e0d8d1a8fd10895
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42514E31B589098FEB98FB6CD499BAD77E2FF98351F040179E00EC3296DE64AC428751
                                                                                                                                                                                                                                                          Function 00007FF887D10488 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1351417344.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff887d10000_QLTa31hZsN.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: cf018ec63befbe358338249e7bc7b9c27f1e14bb874262e18fe3701be8749826
                                                                                                                                                                                                                                                          • Instruction ID: 85ebc9000fa0f135f04e496ea75d91a8c7feffaf8a8f143c70e4df9c8900d3bb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf018ec63befbe358338249e7bc7b9c27f1e14bb874262e18fe3701be8749826
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37E0DF20B28C1D1F9A94F36C5069BA8A2E1FF9C390B110AB6F40EC7286DD28EC408391

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:19.7%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:3
                                                                                                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                                                                                                          execution_graph 5048 7ff887d3214a 5050 7ff887d32930 SetWindowsHookExW 5048->5050 5051 7ff887d329e1 5050->5051

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF887D30EE9 Relevance: 14.5, Strings: 11, Instructions: 733COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3822646863.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887d30000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6B$6B$6B$6B$"rB$0DL$0DL$0DL$0DL$8ML$CAM_^
                                                                                                                                                                                                                                                          • API String ID: 0-654379450
                                                                                                                                                                                                                                                          • Opcode ID: 266f9da1fd5f4993355181c4a7cb052950b51dcb9e0106e88af7563b15adf76e
                                                                                                                                                                                                                                                          • Instruction ID: 4e743b3dce3bc6d9d5a77deb7e160814ab41f960221717e703cfed44877ba263
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 266f9da1fd5f4993355181c4a7cb052950b51dcb9e0106e88af7563b15adf76e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C532A221B58A4A4FE798EB6C94593BDB7E2FF88750B44067DD04FC3296EE2DA801C741
                                                                                                                                                                                                                                                          Function 00007FF887D32D58 Relevance: 3.6, Strings: 2, Instructions: 1068COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 276 7ff887d32d58-7ff887d3d1c0 call 7ff887d305e0 280 7ff887d3d1c5-7ff887d3d205 276->280 284 7ff887d3d27b 280->284 285 7ff887d3d207-7ff887d3d224 280->285 287 7ff887d3d280-7ff887d3d295 284->287 285->287 288 7ff887d3d226-7ff887d3d276 call 7ff887d3abd0 285->288 291 7ff887d3d2ae-7ff887d3d2c3 287->291 292 7ff887d3d297-7ff887d3d2a9 call 7ff887d305f0 287->292 309 7ff887d3dec6-7ff887d3ded4 288->309 297 7ff887d3d2f6-7ff887d3d30b 291->297 298 7ff887d3d2c5-7ff887d3d2f1 291->298 292->309 306 7ff887d3d31e-7ff887d3d333 297->306 307 7ff887d3d30d-7ff887d3d319 call 7ff887d3a270 297->307 298->309 313 7ff887d3d379-7ff887d3d38e 306->313 314 7ff887d3d335-7ff887d3d338 306->314 307->309 319 7ff887d3d3cf-7ff887d3d3e4 313->319 320 7ff887d3d390-7ff887d3d393 313->320 314->284 316 7ff887d3d33e-7ff887d3d349 314->316 316->284 318 7ff887d3d34f-7ff887d3d374 call 7ff887d305c8 call 7ff887d3a270 316->318 318->309 327 7ff887d3d411-7ff887d3d426 319->327 328 7ff887d3d3e6-7ff887d3d3e9 319->328 320->284 321 7ff887d3d399-7ff887d3d3a4 320->321 321->284 323 7ff887d3d3aa-7ff887d3d3ca call 7ff887d305c8 call 7ff887d32da8 321->323 323->309 337 7ff887d3d42c-7ff887d3d48c call 7ff887d30550 327->337 338 7ff887d3d512-7ff887d3d527 327->338 328->284 331 7ff887d3d3ef-7ff887d3d40c call 7ff887d305c8 call 7ff887d32db0 328->331 331->309 337->284 377 7ff887d3d492-7ff887d3d4b4 337->377 346 7ff887d3d529-7ff887d3d52c 338->346 347 7ff887d3d546-7ff887d3d55b 338->347 346->284 348 7ff887d3d532-7ff887d3d541 call 7ff887d32d88 346->348 354 7ff887d3d57d-7ff887d3d592 347->354 355 7ff887d3d55d-7ff887d3d560 347->355 348->309 363 7ff887d3d5b2-7ff887d3d5c7 354->363 364 7ff887d3d594-7ff887d3d5ad 354->364 355->284 357 7ff887d3d566-7ff887d3d578 call 7ff887d32d88 355->357 357->309 368 7ff887d3d5c9-7ff887d3d5e2 363->368 369 7ff887d3d5e7-7ff887d3d5fc 363->369 364->309 368->309 375 7ff887d3d5fe-7ff887d3d617 369->375 376 7ff887d3d61c-7ff887d3d631 369->376 375->309 381 7ff887d3d65a-7ff887d3d66f 376->381 382 7ff887d3d633-7ff887d3d636 376->382 389 7ff887d3d4b6-7ff887d3d4b8 377->389 390 7ff887d3d4b5 377->390 387 7ff887d3d70f-7ff887d3d724 381->387 388 7ff887d3d675-7ff887d3d6ac 381->388 382->284 383 7ff887d3d63c-7ff887d3d655 382->383 383->309 396 7ff887d3d73c-7ff887d3d751 387->396 397 7ff887d3d726-7ff887d3d737 387->397 406 7ff887d3d6af-7ff887d3d6c4 388->406 389->390 394 7ff887d3d4ba-7ff887d3d4ca call 7ff887d3a280 389->394 390->389 394->284 405 7ff887d3d4d0-7ff887d3d50d call 7ff887d3a290 394->405 403 7ff887d3d7f1-7ff887d3d806 396->403 404 7ff887d3d757-7ff887d3d7cf 396->404 397->309 414 7ff887d3d808-7ff887d3d819 403->414 415 7ff887d3d81e-7ff887d3d833 403->415 404->284 452 7ff887d3d7d5-7ff887d3d7ec 404->452 405->309 417 7ff887d3d6c6-7ff887d3d6ed 406->417 414->309 424 7ff887d3d865-7ff887d3d87a 415->424 425 7ff887d3d835-7ff887d3d860 call 7ff887d30b20 call 7ff887d3abd0 415->425 417->284 431 7ff887d3d6f3-7ff887d3d70a 417->431 433 7ff887d3d880-7ff887d3d952 call 7ff887d30b20 call 7ff887d3abd0 424->433 434 7ff887d3d957-7ff887d3d96c 424->434 425->309 431->309 433->309 443 7ff887d3da33-7ff887d3da48 434->443 444 7ff887d3d972-7ff887d3d975 434->444 453 7ff887d3da4a-7ff887d3da57 call 7ff887d3abd0 443->453 454 7ff887d3da5c-7ff887d3da71 443->454 445 7ff887d3d97b-7ff887d3d986 444->445 446 7ff887d3da28-7ff887d3da2d 444->446 445->446 450 7ff887d3d98c-7ff887d3da26 call 7ff887d30b20 call 7ff887d3abd0 445->450 456 7ff887d3da2e 446->456 450->456 452->309 453->309 464 7ff887d3dae8-7ff887d3dafd 454->464 465 7ff887d3da73-7ff887d3da84 454->465 456->309 474 7ff887d3daff-7ff887d3db02 464->474 475 7ff887d3db3d-7ff887d3db52 464->475 465->284 472 7ff887d3da8a-7ff887d3da9a call 7ff887d305c0 465->472 482 7ff887d3da9c-7ff887d3dac1 call 7ff887d3abd0 472->482 483 7ff887d3dac6-7ff887d3dae3 call 7ff887d305c0 call 7ff887d305c8 call 7ff887d32d60 472->483 474->284 476 7ff887d3db08-7ff887d3db38 call 7ff887d305b8 call 7ff887d305c8 call 7ff887d32d60 474->476 487 7ff887d3db98-7ff887d3dbad 475->487 488 7ff887d3db54-7ff887d3db93 call 7ff887d31d90 call 7ff887d3c0d0 call 7ff887d32d68 475->488 476->309 482->309 483->309 503 7ff887d3dc4d-7ff887d3dc62 487->503 504 7ff887d3dbb3-7ff887d3dc48 call 7ff887d30b20 call 7ff887d3abd0 487->504 488->309 503->309 516 7ff887d3dc68-7ff887d3dc6f 503->516 504->309 522 7ff887d3dc82-7ff887d3dca7 516->522 523 7ff887d3dc71-7ff887d3dc7b call 7ff887d3a2a0 516->523 540 7ff887d3dcaa-7ff887d3dcb5 522->540 523->522 546 7ff887d3dcb7-7ff887d3dd43 call 7ff887d3a2b0 call 7ff887d3a2c0 call 7ff887d3a2d0 call 7ff887d3a2e0 call 7ff887d33160 540->546 546->309
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3822646863.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887d30000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: $ML_H
                                                                                                                                                                                                                                                          • API String ID: 0-3623178540
                                                                                                                                                                                                                                                          • Opcode ID: 45cbe18e3a618ba03ecdf75af7d5d260a5ae30be266a4dc67938453f15da4a45
                                                                                                                                                                                                                                                          • Instruction ID: bd32cf10e6fd25810d068770292d1ff21ab8cf4893fdbd734bae6af1e4547c62
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45cbe18e3a618ba03ecdf75af7d5d260a5ae30be266a4dc67938453f15da4a45
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6725F20F5C91A8BFB98E768849577D72E2FF99390F544678D01FD7286EE2CA802C741
                                                                                                                                                                                                                                                          Function 00007FF887D38556 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3822646863.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887d30000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 40a38111c81c782f237b853adfb2a546957de9c6abfa834cc27c46f8ca9a0593
                                                                                                                                                                                                                                                          • Instruction ID: e128ab64035bbe78f76b40322eb2ed7fcbd89ef9eac57eb4908b313fc39c9901
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40a38111c81c782f237b853adfb2a546957de9c6abfa834cc27c46f8ca9a0593
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6F1A730908A4E8FEBA8DF28D8557E937E1FF54350F04826ED84EC7295DB389945CB92
                                                                                                                                                                                                                                                          Function 00007FF887D39302 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3822646863.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887d30000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e44ae3339c530fe04a4a1072429dc1ed27a206c842655e39d813056be154d583
                                                                                                                                                                                                                                                          • Instruction ID: a9787ad783e941f4b3c12dbcdf9b3d521aa1fc081de228598a96cce78dab5912
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e44ae3339c530fe04a4a1072429dc1ed27a206c842655e39d813056be154d583
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9E1A430908A4A8FEBA8DF28C8557E977E1FF64350F04426AD84EC7295DE789941C782
                                                                                                                                                                                                                                                          Function 00007FF887D32911 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 644 7ff887d32911-7ff887d3298d 648 7ff887d32a19-7ff887d32a1d 644->648 649 7ff887d32993-7ff887d32998 644->649 650 7ff887d329a2-7ff887d329df SetWindowsHookExW 648->650 651 7ff887d3299f-7ff887d329a0 649->651 652 7ff887d329e1 650->652 653 7ff887d329e7-7ff887d32a18 650->653 651->650 652->653
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3822646863.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887d30000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HookWindows
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2559412058-0
                                                                                                                                                                                                                                                          • Opcode ID: 9b084e31a1d35f3fa87f10a2d64e19a1cbc30cce33cba280e2e5fe2788b25357
                                                                                                                                                                                                                                                          • Instruction ID: 1ae44b77584c5188e6b4290657d1a63c65a461ee29fc1b5ba1d0a6d58a4364d0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b084e31a1d35f3fa87f10a2d64e19a1cbc30cce33cba280e2e5fe2788b25357
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5931E831A1CA1D8FDB58EB9CD84A7F977E1FB59321F00427ED009D3252DB64A852C781
                                                                                                                                                                                                                                                          Function 00007FF887D3214A Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 656 7ff887d3214a-7ff887d3298d 660 7ff887d32a19-7ff887d32a1d 656->660 661 7ff887d32993-7ff887d32998 656->661 662 7ff887d329a2-7ff887d329df SetWindowsHookExW 660->662 663 7ff887d3299f-7ff887d329a0 661->663 664 7ff887d329e1 662->664 665 7ff887d329e7-7ff887d32a18 662->665 663->662 664->665
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3822646863.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ff887d30000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HookWindows
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2559412058-0
                                                                                                                                                                                                                                                          • Opcode ID: 3184c1942edcb3fb8b7d0dc233f8a3dc7a9d243dc5fcd3c44b9886372bb8338c
                                                                                                                                                                                                                                                          • Instruction ID: e967e453d5e27dd3b122fef0476653bd23e9d3cf8293226ffc755bb1b49f6425
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3184c1942edcb3fb8b7d0dc233f8a3dc7a9d243dc5fcd3c44b9886372bb8338c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E31B430A1CA1D9FEB58EB5CD8466FD77E1EB59321F10423ED00AD3251DA64B852C7C1

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:6.9%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:44
                                                                                                                                                                                                                                                          Total number of Limit Nodes:9
                                                                                                                                                                                                                                                          execution_graph 23021 92d300 DuplicateHandle 23022 92d396 23021->23022 23023 69f9868 23024 69f99f3 23023->23024 23026 69f988e 23023->23026 23026->23024 23027 69f81c4 23026->23027 23028 69f9ae8 PostMessageW 23027->23028 23029 69f9b54 23028->23029 23029->23026 22997 92d0b8 22998 92d0fe GetCurrentProcess 22997->22998 23000 92d150 GetCurrentThread 22998->23000 23001 92d149 22998->23001 23002 92d186 23000->23002 23003 92d18d GetCurrentProcess 23000->23003 23001->23000 23002->23003 23004 92d1c3 23003->23004 23005 92d1eb GetCurrentThreadId 23004->23005 23006 92d21c 23005->23006 23007 92ad38 23011 92ae30 23007->23011 23016 92ae20 23007->23016 23008 92ad47 23012 92ae64 23011->23012 23013 92ae41 23011->23013 23012->23008 23013->23012 23014 92b068 GetModuleHandleW 23013->23014 23015 92b095 23014->23015 23015->23008 23017 92ae64 23016->23017 23018 92ae41 23016->23018 23017->23008 23018->23017 23019 92b068 GetModuleHandleW 23018->23019 23020 92b095 23019->23020 23020->23008 23030 924668 23031 924684 23030->23031 23032 924696 23031->23032 23034 9247a0 23031->23034 23035 9247c5 23034->23035 23039 9248b0 23035->23039 23043 9248a1 23035->23043 23040 9248d7 23039->23040 23041 9249b4 23040->23041 23047 924248 23040->23047 23044 9248d7 23043->23044 23045 924248 CreateActCtxA 23044->23045 23046 9249b4 23044->23046 23045->23046 23048 925940 CreateActCtxA 23047->23048 23050 925a03 23048->23050

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 0092D0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0092D136
                                                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0092D173
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0092D1B0
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0092D209
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                                                                                                                                          • Opcode ID: 6ee39daa126482fa268dfa90c671aa29206575295d7045f8513a5daa53113d83
                                                                                                                                                                                                                                                          • Instruction ID: 0e26f74d4be24abd2c24a55e9f1fe96bec4c368edd6757df116f58ee6aa5f91d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ee39daa126482fa268dfa90c671aa29206575295d7045f8513a5daa53113d83
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B5168B09017498FDB18CFAAE548BDEBBF1EF48304F20845EE419A73A1D7749944CB65
                                                                                                                                                                                                                                                          Function 0092D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0092D136
                                                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0092D173
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0092D1B0
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0092D209
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                                                                                                                                          • Opcode ID: 048c92018f0f40d75da796ef546d457644ef4de6235395eb1ecbc5294ba0d171
                                                                                                                                                                                                                                                          • Instruction ID: 3186249ab50cb6da4536dd44b564343ae74d468329b3947d5fdcdef18fa5efa5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 048c92018f0f40d75da796ef546d457644ef4de6235395eb1ecbc5294ba0d171
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 375156B09017498FDB18CFAAD548B9EBBF1EF48300F20845AE419A73A1D7749944CF65
                                                                                                                                                                                                                                                          Function 0092AE30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 44 92ae30-92ae3f 45 92ae41-92ae4e call 929838 44->45 46 92ae6b-92ae6f 44->46 53 92ae50 45->53 54 92ae64 45->54 48 92ae83-92aec4 46->48 49 92ae71-92ae7b 46->49 55 92aed1-92aedf 48->55 56 92aec6-92aece 48->56 49->48 101 92ae56 call 92b0b8 53->101 102 92ae56 call 92b0c8 53->102 54->46 57 92af03-92af05 55->57 58 92aee1-92aee6 55->58 56->55 63 92af08-92af0f 57->63 60 92aef1 58->60 61 92aee8-92aeef call 92a814 58->61 59 92ae5c-92ae5e 59->54 62 92afa0-92afb7 59->62 65 92aef3-92af01 60->65 61->65 77 92afb9-92b018 62->77 66 92af11-92af19 63->66 67 92af1c-92af23 63->67 65->63 66->67 68 92af30-92af39 call 92a824 67->68 69 92af25-92af2d 67->69 75 92af46-92af4b 68->75 76 92af3b-92af43 68->76 69->68 78 92af69-92af76 75->78 79 92af4d-92af54 75->79 76->75 95 92b01a-92b060 77->95 84 92af78-92af96 78->84 85 92af99-92af9f 78->85 79->78 80 92af56-92af66 call 92a834 call 92a844 79->80 80->78 84->85 96 92b062-92b065 95->96 97 92b068-92b093 GetModuleHandleW 95->97 96->97 98 92b095-92b09b 97->98 99 92b09c-92b0b0 97->99 98->99 101->59 102->59
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0092B086
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HandleModule
                                                                                                                                                                                                                                                          • String ID: 0Vm$0Vm
                                                                                                                                                                                                                                                          • API String ID: 4139908857-1520638196
                                                                                                                                                                                                                                                          • Opcode ID: a1aee965348c544b5a37c89afb5d495d4b0b11b53450dc89989bbab6d3bf9df5
                                                                                                                                                                                                                                                          • Instruction ID: 1e00a4d91030b13ebfe904b825c56b96a054828e748a42ae48b7ad362409534b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1aee965348c544b5a37c89afb5d495d4b0b11b53450dc89989bbab6d3bf9df5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC7136B1A00B158FD724DF29E14079ABBF5FF88304F00892DE45ADBA54D779E849CB91
                                                                                                                                                                                                                                                          Function 00925935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 208 925935-925a01 CreateActCtxA 210 925a03-925a09 208->210 211 925a0a-925a64 208->211 210->211 218 925a73-925a77 211->218 219 925a66-925a69 211->219 220 925a88 218->220 221 925a79-925a85 218->221 219->218 223 925a89 220->223 221->220 223->223
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 009259F1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Create
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                                                                                                          • Opcode ID: 25ee1f106534e477f2161b26a66b50e94ea84faa195483655b529ad7e2cbcca1
                                                                                                                                                                                                                                                          • Instruction ID: 9ea8012bbec00d0087056e08efc51cfbd23329c15f55ae5cd4bb6f25d8930a7c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25ee1f106534e477f2161b26a66b50e94ea84faa195483655b529ad7e2cbcca1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2741F0B0C00769CFEB24CFA9C884BDEBBB5BF48304F21816AD409AB255DB755945CF50
                                                                                                                                                                                                                                                          Function 00924248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 224 924248-925a01 CreateActCtxA 227 925a03-925a09 224->227 228 925a0a-925a64 224->228 227->228 235 925a73-925a77 228->235 236 925a66-925a69 228->236 237 925a88 235->237 238 925a79-925a85 235->238 236->235 240 925a89 237->240 238->237 240->240
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 009259F1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Create
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                                                                                                          • Opcode ID: 913b9231ccd2e1bf3c64d6ab41a4b63e40e425b685403433ea9334f953026ef2
                                                                                                                                                                                                                                                          • Instruction ID: 0f5f24b225fe7a8890c97579de5fcf92f3fbb0c6a23584d3fa5f79159ce27054
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 913b9231ccd2e1bf3c64d6ab41a4b63e40e425b685403433ea9334f953026ef2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2841B1B0C00B29CFEB24CFA9C884BDEBBB5BF45304F21816AD419AB255DB756945CF90
                                                                                                                                                                                                                                                          Function 0092D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 241 92d2f9-92d394 DuplicateHandle 242 92d396-92d39c 241->242 243 92d39d-92d3ba 241->243 242->243
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0092D387
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                                                                                                                                          • Opcode ID: 1c2bb03f1df6686c35f5b01dfeed6b4ed32fc80ce21294fda7f0c2ee13631281
                                                                                                                                                                                                                                                          • Instruction ID: 20a2233b9b72cb1e7d3b3b0e2a3043bd6336461b7fa3903453be5fb5b5a57256
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c2bb03f1df6686c35f5b01dfeed6b4ed32fc80ce21294fda7f0c2ee13631281
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E2114B5901219DFDB10CF9AE484ADEBBF4EB48314F14802AE918A3350C378A941CFA1
                                                                                                                                                                                                                                                          Function 0092D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 246 92d300-92d394 DuplicateHandle 247 92d396-92d39c 246->247 248 92d39d-92d3ba 246->248 247->248
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0092D387
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                                                                                                                                          • Opcode ID: 97a59b2248d93850740c3967b6fbfcc3c8edbaee4ebb72f62e53d25dd4dec1f0
                                                                                                                                                                                                                                                          • Instruction ID: 2ec95545bf6014e6a2070557f9bcba04ec77025f9724fe8773a914d5d9b4aa8b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97a59b2248d93850740c3967b6fbfcc3c8edbaee4ebb72f62e53d25dd4dec1f0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE21C4B5901359DFDB10CF9AD584ADEBBF8EB48310F14841AE918A3350D374A954CFA5
                                                                                                                                                                                                                                                          Function 069F9AE0 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 251 69f9ae0-69f9b52 PostMessageW 253 69f9b5b-69f9b6f 251->253 254 69f9b54-69f9b5a 251->254 254->253
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 069F9B45
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1561272566.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_69f0000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessagePost
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 410705778-0
                                                                                                                                                                                                                                                          • Opcode ID: 6b42fab6574eec45e090afce129eccd3fc124151a6c2b738a0878090672352ae
                                                                                                                                                                                                                                                          • Instruction ID: a9462acd39aff11ba5b0b5800b10e7125bd8faec3f9ef0f2ad63e1958c06d59c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b42fab6574eec45e090afce129eccd3fc124151a6c2b738a0878090672352ae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 341103B5800349DFDB10CF9AC885BDEFBF8EB48310F20841AE558A7650C375A944CFA1
                                                                                                                                                                                                                                                          Function 069F81C4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 262 69f81c4-69f9b52 PostMessageW 264 69f9b5b-69f9b6f 262->264 265 69f9b54-69f9b5a 262->265 265->264
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 069F9B45
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1561272566.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_69f0000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessagePost
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 410705778-0
                                                                                                                                                                                                                                                          • Opcode ID: 5502461f86c8cd2afd395ecef2b1ed209f266649a786d8afca800717a8d2558c
                                                                                                                                                                                                                                                          • Instruction ID: ce9a7fe009bed6cd77d707021e0b97218031afe79d68b2841ca405412e6e7814
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5502461f86c8cd2afd395ecef2b1ed209f266649a786d8afca800717a8d2558c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B21103B5800349DFDB10DF9AC884BDEFBF8EB48320F20885AE518A7600C375A944CFA1
                                                                                                                                                                                                                                                          Function 0092B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 256 92b020-92b060 257 92b062-92b065 256->257 258 92b068-92b093 GetModuleHandleW 256->258 257->258 259 92b095-92b09b 258->259 260 92b09c-92b0b0 258->260 259->260
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0092B086
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541621427.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_920000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HandleModule
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                                                                                                                                          • Opcode ID: fa14e0ef5d8655cfa79e6d54d0524eaf74a46d91dc757304bfe8acf98a974609
                                                                                                                                                                                                                                                          • Instruction ID: d7f3c3fde9905b631c2a5c1d4aa79b14ccbc33580610cae05b91a829cb7493e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa14e0ef5d8655cfa79e6d54d0524eaf74a46d91dc757304bfe8acf98a974609
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B110FB5C007498FDB20CF9AD444A9EFBF8AB88310F10842AD428B7614C379A545CFA5
                                                                                                                                                                                                                                                          Function 006CD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541222078.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_6cd000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0be8ff80e8d81b6882c1b5bd91dbf31625672cf14d1ce575433d003cce79be05
                                                                                                                                                                                                                                                          • Instruction ID: 735f3b298ef888a1b1541fe7703452bd5d8db570c5e02f17ab447fe7de30d152
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0be8ff80e8d81b6882c1b5bd91dbf31625672cf14d1ce575433d003cce79be05
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B21D671504344DFDB09DF10D9C0F6ABBA6FB94314F24C57DDA094B256C336E856CAA2
                                                                                                                                                                                                                                                          Function 006DD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541268790.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_6dd000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: dac450c4ac049f36f87782573a4db756ae90fdf33305e38280d183150fd22113
                                                                                                                                                                                                                                                          • Instruction ID: c250193a5d15c57a9678da29174b268e4733c7fc0515a77521c998dca2a8da9c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dac450c4ac049f36f87782573a4db756ae90fdf33305e38280d183150fd22113
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9221F271A04344DFDB14EF24D9C0B26BB66FBC8314F24C56AD80A4B386C336D847CAA2
                                                                                                                                                                                                                                                          Function 006DD005 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541268790.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_6dd000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7e91c04396bf71f321a0c91022ae9b819b975f7bbd80be195756a93d291d07bc
                                                                                                                                                                                                                                                          • Instruction ID: 96d812121e53986a556fffe662dc52dbdff616ebdb501c3548ec8309545aa72a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e91c04396bf71f321a0c91022ae9b819b975f7bbd80be195756a93d291d07bc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F217F755083809FCB02DF24D994751BF71EB86314F28C5EAD8498B3A7C33A9846CB62
                                                                                                                                                                                                                                                          Function 006CD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541222078.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_6cd000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                                                                                                          • Instruction ID: 58ea6cf9bb030c1c1f12e46caa30bac48229ffb7fd8d5c5302bcb4d8306b212a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A611AF76504240DFCB15CF10D9C4B66BFB2FB94324F24C6ADD9094B656C33AE856CBA1
                                                                                                                                                                                                                                                          Function 006CDA81 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541222078.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_6cd000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e234ca271cfe7dc7563afe0813595fbe5516f5229e1b1f01c47fb0ed60fb030d
                                                                                                                                                                                                                                                          • Instruction ID: b509b5f9acd05cd1dfe0fb1541ce352e89bb3585c025aed6f9e1324eba6ec447
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e234ca271cfe7dc7563afe0813595fbe5516f5229e1b1f01c47fb0ed60fb030d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8501AD31108344ABF7109AA6C984FB7BBD9EF51320F18846EED095A282C6799C41CAB6
                                                                                                                                                                                                                                                          Function 006CDA80 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1541222078.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_6cd000_build.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 90747297dadc93f0089c425cbffdaddbe12b676465517f2b88a2cc46f1acbcbe
                                                                                                                                                                                                                                                          • Instruction ID: 65da4b77f5d13d67657b28dafd2d60c8b9fe4abd5439a49b9c6349007d6c735d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90747297dadc93f0089c425cbffdaddbe12b676465517f2b88a2cc46f1acbcbe
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42F06D72408384AFEB148A56C9C4BA3FBD8EB51734F18C46AED085A296C2799C44CBB1

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF887D20EE9 Relevance: 13.2, Strings: 10, Instructions: 734COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1556078750.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6B$6B$6B$6B$"rB$0DL$0DL$0DL$0DL$8ML
                                                                                                                                                                                                                                                          • API String ID: 0-1300878147
                                                                                                                                                                                                                                                          • Opcode ID: 7ffc09aed399fab5e15a793e15d27255bfd68949bec9069b42db26ac654f935a
                                                                                                                                                                                                                                                          • Instruction ID: ba023bbcd7989d4f59ccf04d02e31c8ec8ec69eef6da35fcfbe9e9a113ad52fd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ffc09aed399fab5e15a793e15d27255bfd68949bec9069b42db26ac654f935a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC32C430B68A494FE794EB78946937D77E2FF98780F4446BDD14EC3286DE2DA8028741
                                                                                                                                                                                                                                                          Function 00007FF887D20B01 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1556078750.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6B
                                                                                                                                                                                                                                                          • API String ID: 0-2065085838
                                                                                                                                                                                                                                                          • Opcode ID: 8f1735c5ad313efac2fa26c778e96e130f0e094e1404b031b0b2bd914e902f10
                                                                                                                                                                                                                                                          • Instruction ID: 50f653eef4965c645e1ba8a2ccd2609a28a8e45bca95cdac8615f96269a0ffcf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f1735c5ad313efac2fa26c778e96e130f0e094e1404b031b0b2bd914e902f10
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7319821F189098FE744B7AC58593BD76E2FF99751F544276E01DC32C6DF2C68028752
                                                                                                                                                                                                                                                          Function 00007FF887D209BD Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1556078750.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: HBL
                                                                                                                                                                                                                                                          • API String ID: 0-3574280149
                                                                                                                                                                                                                                                          • Opcode ID: de01a45ac6977a0683ccd023d1490e265548286b033b99c013b08a0aca4e844e
                                                                                                                                                                                                                                                          • Instruction ID: 0481c5a9f5249c5b89ee40baa005caf8b3cfe395de44850b2533c90683b8742d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de01a45ac6977a0683ccd023d1490e265548286b033b99c013b08a0aca4e844e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5319330E5890A8FDB44EBA8C4557EDBBB1FF99340F5046B9D11AD3286DE3C6841C751
                                                                                                                                                                                                                                                          Function 00007FF887D2180C Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1556078750.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: r6B
                                                                                                                                                                                                                                                          • API String ID: 0-2624010786
                                                                                                                                                                                                                                                          • Opcode ID: 2524dd88e543e978b4be96b73bdf1e163279c60e75b245de53c2b10e5f64542d
                                                                                                                                                                                                                                                          • Instruction ID: 6eada1ac3eb628af2947c8f17edea456594ffd9cf72a94d4c5bf72220d455f2a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2524dd88e543e978b4be96b73bdf1e163279c60e75b245de53c2b10e5f64542d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2214120B289495FE788EB6C946A378B2D2EF98751F0445BEE04EC3297DE689C418746
                                                                                                                                                                                                                                                          Function 00007FF887D21901 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1556078750.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 8eL
                                                                                                                                                                                                                                                          • API String ID: 0-2915619072
                                                                                                                                                                                                                                                          • Opcode ID: 4e74a49e9d19ae6cda3ea69d6432b9c248417cdb1dcf3235116a0dd7b70241aa
                                                                                                                                                                                                                                                          • Instruction ID: 830eb52a799d4663ad4b6315eb4ee90867f74b6baad84baa03b01d609d85bfd4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e74a49e9d19ae6cda3ea69d6432b9c248417cdb1dcf3235116a0dd7b70241aa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50017B1194C6C10FE342AA3C5C141393FF2AFD6290B1847FBD499C71DBD91CAA86C342
                                                                                                                                                                                                                                                          Function 00007FF887D20C6E Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1556078750.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 25839be75c6e5af1ff6e57cb55f3ad28a2516caa011c4e515b7aaba119069874
                                                                                                                                                                                                                                                          • Instruction ID: fd2c22f96870efe5534aece4fd3a298290d4ec2d1908ae8de508ede747c1b3c4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25839be75c6e5af1ff6e57cb55f3ad28a2516caa011c4e515b7aaba119069874
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8712821A5CA4A0FE795A77C98592FD7BF2FF85250B0841BAD44EC7197CE2C6C438391

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FF887D20EE9 Relevance: 13.2, Strings: 10, Instructions: 734COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1635739526.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6B$6B$6B$6B$"rB$0DL$0DL$0DL$0DL$8ML
                                                                                                                                                                                                                                                          • API String ID: 0-1300878147
                                                                                                                                                                                                                                                          • Opcode ID: b4ba83a212f1a256a3808499293dda3adfba99f81b78798f6dba3d7bf51e17f2
                                                                                                                                                                                                                                                          • Instruction ID: 6613b3ecb23fd339dd1bc78e081cf7131816fabb20d78cc4d1d0608079698398
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4ba83a212f1a256a3808499293dda3adfba99f81b78798f6dba3d7bf51e17f2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96329131A68A494FE798EB7894693BDB7E2FF88740F44457DD04EC3296DE3DA8028741
                                                                                                                                                                                                                                                          Function 00007FF887D20B01 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1635739526.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6B
                                                                                                                                                                                                                                                          • API String ID: 0-2065085838
                                                                                                                                                                                                                                                          • Opcode ID: 8f1735c5ad313efac2fa26c778e96e130f0e094e1404b031b0b2bd914e902f10
                                                                                                                                                                                                                                                          • Instruction ID: 50f653eef4965c645e1ba8a2ccd2609a28a8e45bca95cdac8615f96269a0ffcf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f1735c5ad313efac2fa26c778e96e130f0e094e1404b031b0b2bd914e902f10
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7319821F189098FE744B7AC58593BD76E2FF99751F544276E01DC32C6DF2C68028752
                                                                                                                                                                                                                                                          Function 00007FF887D209BD Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1635739526.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: HBL
                                                                                                                                                                                                                                                          • API String ID: 0-3574280149
                                                                                                                                                                                                                                                          • Opcode ID: 06da17999dae8e71565a45b75d7deff13b3db2a7fff9abf4c7c86442d2041e1d
                                                                                                                                                                                                                                                          • Instruction ID: 3e9637317f42a4e81d638c70048222fa50405e9ac423c3225d3cd774572d2f1b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06da17999dae8e71565a45b75d7deff13b3db2a7fff9abf4c7c86442d2041e1d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45317030E5891A8FDB48EBA8C8557EEBBB2FF99300F544579D01AD7286CE3CA841C751
                                                                                                                                                                                                                                                          Function 00007FF887D2180C Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1635739526.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: r6B
                                                                                                                                                                                                                                                          • API String ID: 0-2624010786
                                                                                                                                                                                                                                                          • Opcode ID: 4d0a18547a6da54228a2a0571872aaeacd61b8ea5029f1efc8fe7cafabd04ca8
                                                                                                                                                                                                                                                          • Instruction ID: 7d64c001292275796836850adb1d13a8e48b7dcecdf7a690328aedef78957e30
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d0a18547a6da54228a2a0571872aaeacd61b8ea5029f1efc8fe7cafabd04ca8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE216120B289485FE788EB6C946A378B2D2EF9C751F0445BEE00EC3293DE689C418742
                                                                                                                                                                                                                                                          Function 00007FF887D21901 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1635739526.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 8eL
                                                                                                                                                                                                                                                          • API String ID: 0-2915619072
                                                                                                                                                                                                                                                          • Opcode ID: b908e1a138d7351e9f9d65fd46a4a6c84bb70b22adfaf604ac99395aef633397
                                                                                                                                                                                                                                                          • Instruction ID: ec11960fab1971a7f6ac20d206845fd4842ab8b9cd656e307c47a052e42a8263
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b908e1a138d7351e9f9d65fd46a4a6c84bb70b22adfaf604ac99395aef633397
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2017B1194C6C10FE352AA3C581413A3FF2AFD6250B1847BBE499C71DBD91CAA86C342
                                                                                                                                                                                                                                                          Function 00007FF887D20C6E Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1635739526.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_7ff887d20000_XClient.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 51d479f673744c7788ec79f7d280640cb9dc1fe23c9fa14f7c8e282adc78e071
                                                                                                                                                                                                                                                          • Instruction ID: 3481cb1e3b6caf6a2957d02dc13162e264d7d639f991c42ec20e638807646fdb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51d479f673744c7788ec79f7d280640cb9dc1fe23c9fa14f7c8e282adc78e071
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11712821A5C94A0FE795A77C98592FD7BF2FF85250B0841BAD44EC7197CE2C6C438391