Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1563919
MD5:	ce69d13cb31832ebad71933900d35458
SHA1:	e9cadfcd08d79a2624d4a5320187ae84cf6a0148
SHA256:	9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf
Tags:	NETAsyncRATexeMSILuser-jstrosch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4152 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CE69D13CB31832EBAD71933900D35458)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["68.178.207.33"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
file.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x68f2:$cnc4: POST / HTTP/1.1
00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: file.exe PID: 4152	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.file.exe.e80000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.0.file.exe.e80000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:30:35.585172+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:46.473399+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:54.448216+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:57.362733+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:08.249264+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:19.148244+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:24.447497+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:25.001181+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:26.490997+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:29.437039+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:40.513964+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:41.017995+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:41.250943+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:42.093401+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:42.285431+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:42.414090+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:53.061917+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:54.444376+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:00.143489+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:00.839573+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:06.171642+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.061790+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.595786+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.796503+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.972988+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.989059+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:08.309762+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:08.590914+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:19.570113+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:23.686466+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:23.881273+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:24.447083+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:34.094268+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:35.467386+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:36.267282+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:39.248764+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:42.389787+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.357858+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.534545+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.675357+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.725726+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:47.857958+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:49.717392+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:49.893679+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.015716+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.178718+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.278856+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.397796+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.461410+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:51.703428+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:54.446116+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:56.077022+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:00.750828+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:11.187077+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:11.437543+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:16.030479+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:16.798052+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:16.990055+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:17.490424+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:18.843929+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:21.858070+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:24.446494+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:27.249544+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:38.062262+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:45.029984+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:52.508084+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.544888+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.723050+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.860865+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.914777+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:54.445365+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:58.904063+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:04.703808+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:09.712246+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:09.906232+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:15.261269+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:15.442284+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:22.295420+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:24.445760+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:33.187052+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:44.075909+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:54.448986+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:54.966766+0100	2852870	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:30:35.669471+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:30:46.475270+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:30:57.364541+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:08.250987+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:19.150630+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:25.005601+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:26.493279+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:29.439577+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:40.517296+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:41.024126+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:41.252572+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:42.096832+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:42.289673+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:42.417533+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:53.064096+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:00.149412+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:00.843458+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:06.177364+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.068349+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.877640+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.989133+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.998371+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:08.353368+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:08.593167+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:19.573362+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:23.688889+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:23.883331+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:24.006768+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:34.096436+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:35.471001+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:36.269896+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:39.251215+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:42.392225+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.362788+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.537153+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.681141+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.847502+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:47.879096+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.085580+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.206409+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.369568+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.461556+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.492943+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:51.705755+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:56.079677+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:00.758978+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:11.191097+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:11.442615+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:16.038312+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:16.799981+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:16.991882+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:17.663818+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:18.845796+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:21.860938+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:27.252059+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:38.086934+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:45.032641+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:52.514591+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.548761+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.728763+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.862635+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:54.024087+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:58.906029+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:04.706659+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:09.720681+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:09.908380+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:10.037231+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:15.263419+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:15.444323+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:22.296180+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:33.187974+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:44.076866+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:54.967713+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:30:54.448216+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:24.447497+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:54.444376+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:24.447083+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:54.446116+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:24.446494+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:54.445365+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:24.445760+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:54.448986+0100	2852874	1	Malware Command and Control Activity Detected	68.178.207.33	7000	192.168.2.6	49730	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:32:35.890689+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.6	49730	68.178.207.33	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe

Malware Configuration Extractor: Xworm {"C2 url": ["68.178.207.33"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: file.exe	String decryptor: 68.178.207.33
Source: file.exe	String decryptor: 7000
Source: file.exe	String decryptor: <123456789>
Source: file.exe	String decryptor: <Xwormmm>
Source: file.exe	String decryptor: XWorm V5.6
Source: file.exe	String decryptor: USB.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49730 -> 68.178.207.33:7000
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 68.178.207.33:7000 -> 192.168.2.6:49730
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49730 -> 68.178.207.33:7000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 68.178.207.33:7000 -> 192.168.2.6:49730
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49730 -> 68.178.207.33:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 68.178.207.33

Source: global traffic

TCP traffic: 192.168.2.6:49730 -> 68.178.207.33:7000

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33
Source: unknown	TCP traffic detected without corresponding DNS query: 68.178.207.33

Source: file.exe, 00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.file.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFD33C55F46	1_2_00007FFD33C55F46
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFD33C56CF2	1_2_00007FFD33C56CF2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFD33C52040	1_2_00007FFD33C52040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFD33C5ACB8	1_2_00007FFD33C5ACB8

Source: file.exe, 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.file.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: file.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\sSM7p4MT4JctLnRS

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: file.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: file.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: file.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: file.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: file.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFD33C57563 push ebx; iretd		1_2_00007FFD33C5756A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFD33C500BD pushad ; iretd		1_2_00007FFD33C500C1

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 14B0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1B180000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 5175			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 4652			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 1880	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1372	Thread sleep count: 5175 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1372	Thread sleep count: 4652 > 30	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000001.00000002.4630986842.0000000001392000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000001.00000002.4630986842.0000000001392000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 1.0.file.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4152, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 1.0.file.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4152, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	232 Virtualization/Sandbox Evasion	LSASS Memory	232 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
file.exe	100%	Avira	HEUR/AGEN.1305769
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
68.178.207.33	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
68.178.207.33	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
68.178.207.33	unknown	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563919
Start date and time:	2024-11-27 16:29:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 4152 because it is empty
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:30:27	API Interceptor	12911017x Sleep call for process: file.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	attached order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	173.201.189.241
	arm7.elf	Get hash	malicious	Mirai	Browse	166.62.63.150
	https://clickproxy.retailrocket.net/?url=https%3A%2F%2Fpaydcosx.z13.web.core.windows.net	Get hash	malicious	Unknown	Browse	208.109.188.185
	Order Catalog.vbs	Get hash	malicious	GuLoader	Browse	148.72.211.211
	https://temp.farenheit.net/XMDNvVFp0d0NmOUNSbFJTSVB2QTRuZktxeWdPaG5ReWxrK1NleVgvbGgvakhBRU5TWkZPQW14RDZLMTlST0pJK3Jja1R0bjkyZkxubHc1UXhLdmU5UVNJcVIyU25JdFVIV0hEc3l3R0kvb3VpWWFlWGxvWmJMSDIwaWRkYTV3c2V3ZnpXcVArUkJXbEpTeWU1SCtuRWNpRVI2RFFuNXh1ODEyQUx3WlNCdDB1N3NjcDh2M1p4MU9qSkJ0R2VDV0VDeVJ4THU5bDM5SkkvaGMxc1hEc3pOb0VtcWl0cDUxemRyc1BwMkE9PS0tRklOcExLZUVZVVZGemhWRC0teTZKNGN1UnI2dUIxL3E5Zm91Q2hVZz09?cid=2268024206	Get hash	malicious	KnowBe4	Browse	148.66.138.157
	hkQx7f6zzw.exe	Get hash	malicious	TVrat	Browse	107.180.13.125
	botx.spc.elf	Get hash	malicious	Mirai	Browse	148.72.238.91
	63#U2467.hta	Get hash	malicious	Unknown	Browse	208.109.234.161
	https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fys-law-firm.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	107.180.47.58
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	148.72.252.155

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.590137030661482
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	33'280 bytes
MD5:	ce69d13cb31832ebad71933900d35458
SHA1:	e9cadfcd08d79a2624d4a5320187ae84cf6a0148
SHA256:	9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf
SHA512:	7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409
SSDEEP:	384:hEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFOzFzRApkFTBLTsOZwpGd2v99IkuisQ8:SVa+vNtg+PB93Tw4OFzVFE9jZOjhKbQ
TLSH:	45E23A4877D44712D6EEAFB12DF362065270D51BE813EF6E0CE485EA2B67AC087407E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?g.................x..........n.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F9912 [Thu Nov 21 20:33:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x971c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	76c537747aca6a8faf752034b81d6f0c	False	0.5011067708333333	data	5.741270064473833	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	3ee5eb55d2c84cad34ece42377c6f250	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-27T16:30:35.207645+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:30:35.585172+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:35.669471+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:30:46.473399+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:46.475270+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:30:54.448216+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:54.448216+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:57.362733+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:30:57.364541+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:08.249264+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:08.250987+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:19.148244+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:19.150630+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:24.447497+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:24.447497+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:25.001181+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:25.005601+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:26.490997+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:26.493279+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:29.437039+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:29.439577+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:40.513964+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:40.517296+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:41.017995+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:41.024126+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:41.250943+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:41.252572+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:42.093401+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:42.096832+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:42.285431+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:42.289673+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:42.414090+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:42.417533+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:53.061917+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:53.064096+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:31:54.444376+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:31:54.444376+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:00.143489+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:00.149412+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:00.839573+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:00.843458+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:06.171642+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:06.177364+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.061790+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.068349+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.595786+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.796503+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.877640+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.972988+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.989059+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:07.989133+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:07.998371+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:08.309762+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:08.353368+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:08.590914+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:08.593167+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:19.570113+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:19.573362+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:23.686466+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:23.688889+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:23.881273+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:23.883331+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:24.006768+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:24.447083+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:24.447083+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:34.094268+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:34.096436+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:35.467386+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:35.471001+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:35.890689+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:36.267282+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:36.269896+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:39.248764+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:39.251215+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:42.389787+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:42.392225+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.357858+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.362788+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.534545+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.537153+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.675357+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.681141+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:44.725726+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:44.847502+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:47.857958+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:47.879096+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:49.717392+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:49.893679+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.015716+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.085580+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.178718+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.206409+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.278856+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.369568+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.397796+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.461410+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:50.461556+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:50.492943+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:51.703428+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:51.705755+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:32:54.446116+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:54.446116+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:56.077022+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:32:56.079677+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:00.750828+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:00.758978+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:11.187077+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:11.191097+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:11.437543+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:11.442615+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:16.030479+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:16.038312+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:16.798052+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:16.799981+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:16.990055+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:16.991882+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:17.490424+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:17.663818+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:18.843929+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:18.845796+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:21.858070+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:21.860938+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:24.446494+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:24.446494+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:27.249544+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:27.252059+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:38.062262+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:38.086934+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:45.029984+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:45.032641+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:52.508084+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:52.514591+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.544888+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.548761+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.723050+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.728763+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.860865+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:53.862635+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:53.914777+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:54.024087+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:33:54.445365+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:54.445365+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:58.904063+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:33:58.906029+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:04.703808+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:04.706659+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:09.712246+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:09.720681+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:09.906232+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:09.908380+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:10.037231+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:15.261269+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:15.263419+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:15.442284+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:15.444323+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:22.295420+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:22.296180+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:24.445760+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:24.445760+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:33.187052+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:33.187974+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:44.075909+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:44.076866+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP
2024-11-27T16:34:54.448986+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:54.448986+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:54.966766+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	68.178.207.33	7000	192.168.2.6	49730	TCP
2024-11-27T16:34:54.967713+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49730	68.178.207.33	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 16:30:23.907746077 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:24.027911901 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:24.028059006 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:24.310255051 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:24.435348034 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:35.207644939 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:35.328099012 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:35.585171938 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:35.669471025 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:35.794652939 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:46.091547966 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:46.211700916 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:46.473398924 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:46.475270033 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:46.601980925 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:54.448215961 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:54.497009993 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:56.982335091 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:57.102482080 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:57.362732887 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:30:57.364541054 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:30:57.485820055 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:07.872251034 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:07.992258072 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:08.249264002 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:08.250987053 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:08.370942116 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:18.762865067 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:18.886019945 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:19.148243904 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:19.150629997 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:19.272701979 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:24.447496891 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:24.496928930 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:24.622502089 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:24.742511034 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:25.001180887 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:25.005600929 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:25.125535011 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:26.091212988 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:26.213761091 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:26.490997076 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:26.493278980 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:26.660846949 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:29.060112953 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:29.180919886 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:29.437038898 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:29.439577103 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:29.559675932 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:39.950628996 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:40.070672989 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:40.513963938 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:40.517296076 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:40.637177944 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:40.637777090 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:40.759155035 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:40.873552084 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:40.994241953 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:41.017995119 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:41.024126053 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:41.192662001 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:41.250942945 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:41.252572060 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:41.372700930 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:41.715904951 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:41.836710930 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:41.836780071 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:41.956732035 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:42.093400955 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:42.096832037 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:42.216864109 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:42.285430908 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:42.289673090 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:42.409874916 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:42.414089918 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:42.417532921 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:42.580373049 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:52.684777021 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:52.805162907 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:53.061917067 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:53.064095974 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:53.183990955 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:54.444375992 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:31:54.606070042 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:59.762698889 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:31:59.885339975 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:00.143488884 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:00.149411917 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:00.270555973 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:00.465995073 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:00.586261988 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:00.839572906 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:00.843457937 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:00.963984966 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:05.793919086 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:05.914228916 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:06.171642065 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:06.177364111 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:06.300837994 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:06.684417009 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:06.804434061 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.061789989 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.068348885 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.188702106 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.215713978 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.337750912 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.419266939 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.540421009 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.540508032 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.595786095 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.595843077 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.660605907 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.660664082 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.715976954 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.716047049 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.781327009 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.796503067 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.877584934 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.877640009 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.972987890 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.989058971 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.989132881 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:07.998323917 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:07.998370886 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:08.110486031 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.110554934 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:08.119976997 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.164505959 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.232222080 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.232333899 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:08.309762001 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.353225946 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.353368044 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:08.473911047 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.590914011 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.593167067 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:08.665961027 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.713274956 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:08.713485956 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:08.833585024 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:19.190773964 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:19.311274052 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:19.570112944 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:19.573362112 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:19.693412066 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:23.309427023 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:23.429508924 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:23.429625988 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:23.552114010 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:23.686465979 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:23.688889027 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:23.808947086 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:23.881273031 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:23.883331060 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:24.003459930 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:24.005330086 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:24.006767988 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:24.127024889 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:24.127166033 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:24.247097015 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:24.447082996 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:24.538201094 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:33.715533972 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:33.835639000 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:34.094268084 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:34.096436024 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:34.217972040 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:35.090527058 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:35.210606098 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:35.467386007 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:35.471000910 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:35.590877056 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:35.890688896 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:36.010669947 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:36.267282009 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:36.269896030 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:36.390928984 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:38.871731997 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:38.992260933 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:39.248764038 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:39.251214981 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:39.371881962 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:42.012567043 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:42.132545948 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:42.389786959 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:42.392225027 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:42.512309074 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:43.981142998 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.101062059 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.101119995 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.221332073 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.221725941 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.341687918 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.357857943 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.362787962 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.523976088 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.534544945 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.537153006 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.657828093 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.675357103 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.681140900 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.725725889 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.843977928 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:44.847501993 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:44.967586040 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:47.481307030 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:47.601363897 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:47.857958078 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:47.879096031 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:47.999397039 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.340751886 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:49.460757017 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.460859060 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:49.581490040 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.581583023 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:49.701544046 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.701735020 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:49.717391968 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.761946917 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:49.863892078 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.863945961 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:49.893678904 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.985492945 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:49.985552073 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.015716076 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.085508108 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.085580111 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.148061037 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.148118019 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.178718090 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.206353903 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.206408978 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.270821095 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.278856039 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.369467020 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.369568110 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.397795916 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.461410046 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.461555958 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.492842913 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.492943048 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:50.585534096 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:50.617724895 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:51.325088978 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:51.446657896 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:51.703428030 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:51.705754995 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:51.825747013 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:54.446115971 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:54.496310949 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:55.699909925 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:55.820020914 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:56.077022076 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:32:56.079677105 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:32:56.199635029 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:00.371845007 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:00.491975069 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:00.750828028 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:00.758977890 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:00.879832029 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:10.809469938 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:10.929989100 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:11.059192896 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:11.179531097 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:11.187077045 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:11.191097021 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:11.363697052 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:11.437542915 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:11.442615032 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:11.563020945 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:15.652765036 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:15.773643017 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.030478954 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.038311958 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:16.158235073 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.418636084 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:16.539052010 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.539138079 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:16.659172058 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.798052073 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.799981117 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:16.920172930 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.990055084 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:16.991882086 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:17.111938953 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:17.111994028 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:17.231920004 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:17.490423918 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:17.544455051 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:17.663817883 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:17.783905029 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:18.462271929 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:18.582285881 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:18.843929052 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:18.845796108 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:18.965949059 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:21.480891943 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:21.600884914 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:21.858069897 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:21.860938072 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:21.981333971 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:24.446494102 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:24.496138096 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:26.871608973 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:26.991628885 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:27.249543905 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:27.252058983 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:27.372039080 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:37.684591055 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:37.804572105 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:38.062262058 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:38.086934090 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:38.209384918 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:44.652879000 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:44.773091078 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:45.029983997 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:45.032640934 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:45.152748108 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:52.121387959 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:52.241538048 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:52.508084059 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:52.514590979 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:52.634701014 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.168212891 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:53.288327932 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.288387060 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:53.408577919 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.410850048 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:53.530910015 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.544888020 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.548760891 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:53.711623907 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.723050117 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.728763103 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:53.848776102 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.860865116 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:53.862634897 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:53.914777040 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:54.023658991 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:54.024086952 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:54.144144058 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:54.445364952 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:54.542843103 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:58.527460098 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:58.647526979 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:58.904062986 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:33:58.906028986 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:33:59.025966883 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:04.326752901 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:04.447130919 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:04.703808069 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:04.706659079 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:04.826575041 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:09.308619976 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:09.428703070 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:09.432785034 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:09.552906990 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:09.712245941 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:09.720680952 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:09.840800047 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:09.906232119 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:09.908380032 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:10.028368950 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:10.033322096 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:10.037230968 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:10.199384928 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:10.200793028 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:10.321471930 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:14.871334076 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:14.991420031 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:14.991488934 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:15.111587048 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:15.261269093 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:15.263418913 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:15.383568048 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:15.442284107 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:15.444323063 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:15.564542055 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:21.917973042 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:22.038116932 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:22.295419931 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:22.296180010 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:22.416371107 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:24.445760012 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:24.495781898 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:32.809170961 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:32.929181099 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:33.187052011 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:33.187973976 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:33.307912111 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:43.699134111 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:43.819255114 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:44.075908899 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:44.076865911 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:44.196743011 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:54.448986053 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:54.492023945 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:54.589721918 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:54.710038900 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:54.966766119 CET	7000	49730	68.178.207.33	192.168.2.6
Nov 27, 2024 16:34:54.967713118 CET	49730	7000	192.168.2.6	68.178.207.33
Nov 27, 2024 16:34:55.089840889 CET	7000	49730	68.178.207.33	192.168.2.6

Target ID:	1
Start time:	10:30:14
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe80000
File size:	33'280 bytes
MD5 hash:	CE69D13CB31832EBAD71933900D35458
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.2170433582.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD33C52040 Relevance: 2.4, Strings: 1, Instructions: 1145COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD33C5A77F

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 880587130000e0d1f451360f31d1bd06bbe27da8caababb5663e491bfd6952fc
Instruction ID: 378cc49d7e426642a60abcbcf076d558568b9c1d940f263faace58d5eb7e4b1d
Opcode Fuzzy Hash: 880587130000e0d1f451360f31d1bd06bbe27da8caababb5663e491bfd6952fc
Instruction Fuzzy Hash: FB82BF34B1CA1A8BFB99FB69846167D73D2FF98300F5405B8D10EE3286DE2CE8029745

Function 00007FFD33C55F46 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409f18ed93dfa6f5f850226aeabe28264d52ea0c08b6ffdabd0a178878c36f00
Instruction ID: 509298163a3894550fa2027fb9802db3111a8a7f6350f79f3de6c3f4a75db5b1
Opcode Fuzzy Hash: 409f18ed93dfa6f5f850226aeabe28264d52ea0c08b6ffdabd0a178878c36f00
Instruction Fuzzy Hash: 40F1A330A08B8D8FEBA8DF28C8557E977E1FF55310F04426EE84DD7291DB38A9558B81

Function 00007FFD33C56CF2 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a54c7f70ee17be7668abf32314433699b5bdf23347ca124a0d7c6bf8e271bd1
Instruction ID: 15ca4d4a0d42aa98961aa7b8f876dedc20a058aca5692b2a8cc0a9daae4b6f7c
Opcode Fuzzy Hash: 0a54c7f70ee17be7668abf32314433699b5bdf23347ca124a0d7c6bf8e271bd1
Instruction Fuzzy Hash: 3BE1B430A08A4E8FEBA8DF28C8657E977D1FF54310F04426EE84DD7291DF78A9558B81

Function 00007FFD33C57EB1 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD33C57F23

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 24da5a116a67c6af1b568a180e4fec407d253fbfedc94eaad400ca328f0e7368
Instruction ID: 17391c26fdefc65c3a1c882c0df972f0ab381ea28d8fb6a6fb95709362db52dc
Opcode Fuzzy Hash: 24da5a116a67c6af1b568a180e4fec407d253fbfedc94eaad400ca328f0e7368
Instruction Fuzzy Hash: 2C21C232D0C35A4FFB00DBA4C8656EDBBE0EF46310F0502BAE56DE7192DA2C58848791

Function 00007FFD33C522FA Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fb5697776c4a9fcfff830f9c8d6d094cea76aae5fc7a11907cb006d3d30794
Instruction ID: 8a84db5e89e58176c67661eee6b79d340c5f3af96f0aacd1952b4a5e2e129666
Opcode Fuzzy Hash: 24fb5697776c4a9fcfff830f9c8d6d094cea76aae5fc7a11907cb006d3d30794
Instruction Fuzzy Hash: 2DE13822F1DA864BF765A76C44792BD7BD1FFA5350B4800BAD08EE72D7DD28A8028345

Function 00007FFD33C50758 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f50b696e999c50c09361ad1bf0b45f404d684f5b60feab50a84a4d69dc8698
Instruction ID: 892f3e6ee4e320cfdffdab0f5e34d5dcf121ab0170fc0d0bd3fc9c5b3cb9a8c7
Opcode Fuzzy Hash: 89f50b696e999c50c09361ad1bf0b45f404d684f5b60feab50a84a4d69dc8698
Instruction Fuzzy Hash: E2D1E931B1CA598FE799EB2D84A4668B7D2FF99354B5001F9E04DD72AACE28F801C741

Function 00007FFD33C56906 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5c99f48f983c36c63135c544a4acd2dead03144b1ce459a877dea4c74ebaea
Instruction ID: 55c6d936a99e829539e902147138550404433bb67934582cf5009b1df7f17dae
Opcode Fuzzy Hash: 9e5c99f48f983c36c63135c544a4acd2dead03144b1ce459a877dea4c74ebaea
Instruction Fuzzy Hash: 13B1A330608B8D4FEB68DF28C8657E97BD1FF55310F04826EE84DC7292CB74A9558B82

Function 00007FFD33C58609 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d899e262ec0b432bf744c4c53cce6f9582d6310c5232cf7d98e8c7443223fcdc
Instruction ID: c694648b6f3e76f51245b9a1a2adfe69a83f0c923dca5a46f55efea6c01e08c6
Opcode Fuzzy Hash: d899e262ec0b432bf744c4c53cce6f9582d6310c5232cf7d98e8c7443223fcdc
Instruction Fuzzy Hash: 7E911322F0DB5E4FF799EB3988652A977D1FF44352F4402BAE10DD7193DE28A8068381

Function 00007FFD33C58B4D Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368bf489bdd5ee76528696781b05bc525228eb6ebd86bfb3410e4315b7dfe6f7
Instruction ID: 9aa75229285d0a872613415b9b5c5c5355aca47cfc86a70cde7385e8d2c84555
Opcode Fuzzy Hash: 368bf489bdd5ee76528696781b05bc525228eb6ebd86bfb3410e4315b7dfe6f7
Instruction Fuzzy Hash: 3171C531B18A5D4FEB99EB6888656FD77E1FF59311F04017AE00EE7292CE28A841C741

Function 00007FFD33C527C5 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b353fc58b9bd4bf1ff7df6354684511aef535deb77b6fc8919e954c2224625e2
Instruction ID: a559b8d082f1d49abb7f105d2669ec03462f4bf797cad89b1241eb0c65936f6f
Opcode Fuzzy Hash: b353fc58b9bd4bf1ff7df6354684511aef535deb77b6fc8919e954c2224625e2
Instruction Fuzzy Hash: 3371E921718A458BF795B7ACC461BBAB3D6EFA8304F5401B5D00DD32EBCE2CA8418759

Function 00007FFD33C58BA0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24ba9a338c73a299bec6c5ceabc72b231d83294d95df936916d2560d6e8dcf5
Instruction ID: 0d0c5b65c9acbaf168902391f243c5d95a42841625d52ec2d3ef9e887ec79ca1
Opcode Fuzzy Hash: d24ba9a338c73a299bec6c5ceabc72b231d83294d95df936916d2560d6e8dcf5
Instruction Fuzzy Hash: BD616531B18A1D4FEB98EB68D4697BD77E2FF58311F540179E40EE3296CE28AC418741

Function 00007FFD33C574E0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206b32a1928dfe7a48f33597ec59e0a9af1e34ce88b560695bd4563b218eecc9
Instruction ID: 512a654b929af5556b9f6f2048c66e594674bbc8ade715a2abb769fbd91239ce
Opcode Fuzzy Hash: 206b32a1928dfe7a48f33597ec59e0a9af1e34ce88b560695bd4563b218eecc9
Instruction Fuzzy Hash: F2717371E08A0D8FEB68EF68D8656BDB7F1FF58311F10416AD44DE7292DE34A8418B81

Function 00007FFD33C574B3 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e8eec57397f8ee5a7f27b297eb4e6d1257a608b1138dbc587fa590dde86701
Instruction ID: 404c574777b5467fa5127a478b02d1a0ef81bbfc1ba2eda8d3bf13b93affd735
Opcode Fuzzy Hash: e5e8eec57397f8ee5a7f27b297eb4e6d1257a608b1138dbc587fa590dde86701
Instruction Fuzzy Hash: 7571B371A08B4D8FEB58EB68C8557ADBBF1FF59311F14416AD04DE3292CA34A845CB81

Function 00007FFD33C57728 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d819b5806378dc25338c438b9480179ebb05df22de2b076eb175983fefb3ca77
Instruction ID: d8eab41bbdaa25dfe949ccdb495c8d6e9906145770686e23414abb6778fc43a9
Opcode Fuzzy Hash: d819b5806378dc25338c438b9480179ebb05df22de2b076eb175983fefb3ca77
Instruction Fuzzy Hash: 7231F452B0CBD60EE753A66D68B50ED7FA0EF56250B0801F7E08DE71A7DD08684683A1

Function 00007FFD33C57F9D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2906e8f5a2a6565d1625e9116acfb49383c69963fbf00a5354e1fcd9657811
Instruction ID: 42764c9227b8e3c00ffbcafcc3e54603574751dcf7fa79ba845ee9e6e78ba801
Opcode Fuzzy Hash: cc2906e8f5a2a6565d1625e9116acfb49383c69963fbf00a5354e1fcd9657811
Instruction Fuzzy Hash: E151A571A18A0C8FEB68EF58D8557EDB7F1FF58311F10426AD44DE3292CA34A842CB81

Function 00007FFD33C50925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0689cf1b550957ba47112c3192fddd658d31f2b9258cd0901842b1a3bca532cf
Instruction ID: 6b3b8754887f368f6d9fcff7904f06ef5a0b73619e762883421694cf3c565776
Opcode Fuzzy Hash: 0689cf1b550957ba47112c3192fddd658d31f2b9258cd0901842b1a3bca532cf
Instruction Fuzzy Hash: FB51E422B19A5E4FEB99F76D54791AD77D2FF99210B8005B9E00EE31CBCE2CA8018750

Function 00007FFD33C588C1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba2578ccd209e5873d20292a40d727a026b22b33cad2eeb5145cd9ccc923faf
Instruction ID: ef59f040f844f90c04676e17f555c63718db96fbcba5c7e4c1eea76c4593b2e5
Opcode Fuzzy Hash: aba2578ccd209e5873d20292a40d727a026b22b33cad2eeb5145cd9ccc923faf
Instruction Fuzzy Hash: C051C331F19A4D8FFB99EB68D8656BC77E1FF89301F4441B5E10DE3292DE28A8429740

Function 00007FFD33C57748 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe66b1d57c703aba2f5eaa5f64b08e83714424632943e15d7a6487d20247479
Instruction ID: 944bfba0816b104feae3dffeb3f1b0c2c9ff7bb2f750925f0269177d8d917a7a
Opcode Fuzzy Hash: 5fe66b1d57c703aba2f5eaa5f64b08e83714424632943e15d7a6487d20247479
Instruction Fuzzy Hash: 9C210692B0CBD60EE753A66C68650ED3BA4EF97210B0801F3E08DE71A7DD186C4683A1

Function 00007FFD33C51908 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b4d92a5ddbd48c64bd492b1fcf42807baf29e5a44a2ae74ca615d5c88f679f
Instruction ID: 132af4c0c0a6b6e93001fb070d63679cb76cd1652bfcc4c9399126e86efc6bc0
Opcode Fuzzy Hash: a3b4d92a5ddbd48c64bd492b1fcf42807baf29e5a44a2ae74ca615d5c88f679f
Instruction Fuzzy Hash: 71610430E0D78A4FFB5AE77584262A9BBA1EF56310F1802B9D05EE71D3CE2C6842C751

Function 00007FFD33C50550 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ebfdb4569d34fb14c62041dac2b2835554864a9851dae5e49021fce82cd10d
Instruction ID: 93566568bff507c59de48e1f46f35e9d0292b899cd01ebbc868f86621ecd4720
Opcode Fuzzy Hash: d3ebfdb4569d34fb14c62041dac2b2835554864a9851dae5e49021fce82cd10d
Instruction Fuzzy Hash: 9A512631A0C6498FEB18EF68C8696B87BF1EF55310F4441BED04DE7292DB38A446C791

Function 00007FFD33C57533 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da146555fbeeda6719a91141682400bfcd4f4b3f93209fac1f054f7bf373868f
Instruction ID: ff473856da8f4c4dda584c5dd145016572f2dd03b549cb687c23eb8827745c08
Opcode Fuzzy Hash: da146555fbeeda6719a91141682400bfcd4f4b3f93209fac1f054f7bf373868f
Instruction Fuzzy Hash: E251A371A08A0D8FEB68EF58D8557EDB7F1FF58311F10416ED04DE3296DA34A8418B81

Function 00007FFD33C5383C Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0d6b1a30b2b1351bf95659a1dc5c2aa46e1af277a738fa7c0a6c24502fd61a
Instruction ID: 36e87b1082b24adc4a0d9acca7507011c52522a3433478e22e9fd81a9cb99b4f
Opcode Fuzzy Hash: 7d0d6b1a30b2b1351bf95659a1dc5c2aa46e1af277a738fa7c0a6c24502fd61a
Instruction Fuzzy Hash: EF516131918A5C8FDB68DF58D855BE9BBF1FB59310F0082AAD04DE3252DE34A985CB81

Function 00007FFD33C504EA Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c04cda410ee5e93a80cc582a39c350d4c7c02eb2012791b9393a73acc6c758
Instruction ID: 73b42e5bbc151db81f96001dca7a8860d8a6e6b9cab7aed384b3a12310723508
Opcode Fuzzy Hash: 68c04cda410ee5e93a80cc582a39c350d4c7c02eb2012791b9393a73acc6c758
Instruction Fuzzy Hash: ED51EA22B0DA990FF794A66C98762BD77C1EF99315F0802BAE08DD3297DD58AC029345

Function 00007FFD33C57768 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c06ea8894b8278524dc9dabe0bdf6ef81f48b5d53de8e9fa0d41874b78f7d01
Instruction ID: c3245f92b3f593cd11c44541057e502917866ad7beb90d433dd459d4d1da6805
Opcode Fuzzy Hash: 5c06ea8894b8278524dc9dabe0bdf6ef81f48b5d53de8e9fa0d41874b78f7d01
Instruction Fuzzy Hash: DA11D0A2B0DBD90EEB52A66C58650ED7FA0EF96210B0801F7E08DD7197D9186C4683A2

Function 00007FFD33C57778 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dddcccee8a5a44124a9382b89bd426c5d704e91674e49f768c00bca7bdb903
Instruction ID: 3610cb5badb7ff99f6873407ad76667050d16999ef9877dfe9ace7a95e98f052
Opcode Fuzzy Hash: f3dddcccee8a5a44124a9382b89bd426c5d704e91674e49f768c00bca7bdb903
Instruction Fuzzy Hash: 7B11C662A1DBD90FEB52E76C58651AD7BE0EF96210B0801F7E04DD3197DD186C058392

Function 00007FFD33C505A0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d047034a48e1825667e40d5073fc99daf5261fd2a04b6f49134f1c7d0eb9a492
Instruction ID: 4515f685fa731e77b4b01129855db998b5af81902fd28362fcb491bdf1ea20ef
Opcode Fuzzy Hash: d047034a48e1825667e40d5073fc99daf5261fd2a04b6f49134f1c7d0eb9a492
Instruction Fuzzy Hash: D5414522F1CA4A4FF7A9F63D986A67977C2EBD5310B0801B9E48DD3297DD1CAC428341

Function 00007FFD33C57795 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b64d73fe934e92e69d1298f675c5d21467c94a1818330c94616cb875e0a153
Instruction ID: 0c477fb118caa61bfcc10f1236a9588a17ff7f891c01a9554f0720f937f3c2ea
Opcode Fuzzy Hash: 18b64d73fe934e92e69d1298f675c5d21467c94a1818330c94616cb875e0a153
Instruction Fuzzy Hash: CB01D472B1CA5D4EEB91F65C58691BD77E4EB99200B0401B6E00CD3196DE246C014392

Function 00007FFD33C51660 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc60a1e9c556bcf3bac04392e2afd4d10b617d7039a07184bdcc51bfb5df6341
Instruction ID: 697edbc8f3cc5c22039f404477808970cbb8318aa6f2609971c6cf02cd358847
Opcode Fuzzy Hash: dc60a1e9c556bcf3bac04392e2afd4d10b617d7039a07184bdcc51bfb5df6341
Instruction Fuzzy Hash: BB51B034A08A5D8FEF5DEB2CC4A9AA977E1FB25311F04016EE00ED3295CF39A841CB51

Function 00007FFD33C50B5E Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1b052bf924229712380913df06710ad52eb7dc3bf64e0e893170ae497eba1f
Instruction ID: ef86757f49b33f9274930864122e47bb04faf1e80b21043b5cbfc8f6938141a2
Opcode Fuzzy Hash: 4a1b052bf924229712380913df06710ad52eb7dc3bf64e0e893170ae497eba1f
Instruction Fuzzy Hash: 0741F721B0DA890FE795A76C886A3797BD2EF9A315F0901FFE44DC72A3CD585C028341

Function 00007FFD33C504C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ddb44697691d2bebb1a4c7ba3c88e9a6e13ade0bede3cc2cdbb383e6662bf9
Instruction ID: e957e368c0069d1328e2f23d50e589fb5c05a469b8b221ff9b2ba5bfe92d8033
Opcode Fuzzy Hash: f7ddb44697691d2bebb1a4c7ba3c88e9a6e13ade0bede3cc2cdbb383e6662bf9
Instruction Fuzzy Hash: 1931B521B18A4D0FE798EB6C946A77DB6C2EF99315F0401BEF44ED32A7DD68AC018341

Function 00007FFD33C50E11 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fee18a22fe3f27f10e4259ab688cb4620cab2bfb1f4b3155ac5ca666a028b2
Instruction ID: 642bde72cdd6276116301449b9efc4ac0042aac7ca62016e2ae311a207e13ade
Opcode Fuzzy Hash: f5fee18a22fe3f27f10e4259ab688cb4620cab2bfb1f4b3155ac5ca666a028b2
Instruction Fuzzy Hash: EB31E212B18A1A4FFB90B7AC982A7BD77D6FF98351F0442BAE00CE3297DD58A8414751

Function 00007FFD33C50CC1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567277ba967386714b7c36e02d5b51e41fb9e62b333f4d8094f9ed59ff88b467
Instruction ID: b2b4d01d5056f021c9decae890117e82ae8f7cb9fafc7dec6a8c3d7b0aaad9f0
Opcode Fuzzy Hash: 567277ba967386714b7c36e02d5b51e41fb9e62b333f4d8094f9ed59ff88b467
Instruction Fuzzy Hash: DE41D335B1865D8FEB55EBA888616ED77B2FF98300F5405B8D00DE329ACD2CA801C755

Function 00007FFD33C50E30 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7adb547418acf01258cb1606156c88975fa39dd77cccf82da9106bad179fb6
Instruction ID: 9cf33c8e097a7a2fc55e1be3d9a80762baea68b790c9fb4fe27c1d03881ac3fe
Opcode Fuzzy Hash: 1f7adb547418acf01258cb1606156c88975fa39dd77cccf82da9106bad179fb6
Instruction Fuzzy Hash: 7631E312B18E1E4BFB90B7AC982A7FD77C6FB98751F00027AE00DE3296DD58A8414795

Function 00007FFD33C59C89 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d8cb19252e7c8c2569deae347c3ef1c8836e1f85c757b94ac07c2e7b4fd59b
Instruction ID: 9541d1cf03eda1c78855af9e7aa1cca9b78079955c2010f74417570ef87d6841
Opcode Fuzzy Hash: c9d8cb19252e7c8c2569deae347c3ef1c8836e1f85c757b94ac07c2e7b4fd59b
Instruction Fuzzy Hash: CA31C435B0C7584FEB54EB2888657AD77E6FF99320F5501BAD00DD3292DA3CE8028781

Function 00007FFD33C59335 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6f2cd21bc13c28eb55e05248ae460935cfb4f3d140691948c922d5e242e80d
Instruction ID: 33aad5545f71b28db2398825ee8c146e0fc4a270107c3eda194afe3b5306267d
Opcode Fuzzy Hash: 3b6f2cd21bc13c28eb55e05248ae460935cfb4f3d140691948c922d5e242e80d
Instruction Fuzzy Hash: D831C13150C7488FDB25DFA8C889AEABBF0EF56320F0481AFD089D3552D774A405CB51

Function 00007FFD33C581C9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b3f68f99e8fb44577d14bdb2d89c30441942ccd59ae13cb14ca75e8f0ec5fd
Instruction ID: 308c99437f9ec75ae52f53d15154c683d2eaa24d3b5acdcc69f4b46cb421b338
Opcode Fuzzy Hash: f3b3f68f99e8fb44577d14bdb2d89c30441942ccd59ae13cb14ca75e8f0ec5fd
Instruction Fuzzy Hash: 1031D53060CA8A8FEB47FB3CC4A55697BE1FF16215B0805E6D049C72A6DA29A842CB55

Function 00007FFD33C584C5 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e6c23d530dd1e5040494ac8b9203e4473ca5028e3d74bb1d3216ac1dfc085c
Instruction ID: 307994147d33a318cfc4102f6293b59142260fc60de0f99a2502fe0f23136f80
Opcode Fuzzy Hash: 53e6c23d530dd1e5040494ac8b9203e4473ca5028e3d74bb1d3216ac1dfc085c
Instruction Fuzzy Hash: C931DF62A0968E0FF745A7649C722E97BB1FF45320B8441BBE18DA71E3DE1C28429752

Function 00007FFD33C58362 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbb212bcf2c12297b7e22301847eb65dfc0ba1e32f36a6134b52d120abb9da5
Instruction ID: 563575806c55ed7791f901f5f373ff2223e4b96765adad9f486a28d23aa7d5c5
Opcode Fuzzy Hash: adbb212bcf2c12297b7e22301847eb65dfc0ba1e32f36a6134b52d120abb9da5
Instruction Fuzzy Hash: 95315031B08A0D4FFF98FB6884656BD77E2FF98311B544479D50DE32A2EE28A841D740

Function 00007FFD33C59259 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d5b8133b93977f8d69bd417f7e082a99145f6ef25a9503b2d1777c975da9d5
Instruction ID: da0bfd81afaf96bb131b9a0fe5d962489a22282d0ecbb8138098df4142a27da6
Opcode Fuzzy Hash: 33d5b8133b93977f8d69bd417f7e082a99145f6ef25a9503b2d1777c975da9d5
Instruction Fuzzy Hash: 23213D31B4D68A0FE7869B6C8C215FD77D1EF96210F0442F6E18EC7192DD1CA9428351

Function 00007FFD33C58662 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5836bd13908255ad83a7a1dcab49a74256cae1b20938233383a869c026ee000d
Instruction ID: 3d777240315e552e7e02939a8b363c867caa7133c0b4ee4be21c1ad9348654a3
Opcode Fuzzy Hash: 5836bd13908255ad83a7a1dcab49a74256cae1b20938233383a869c026ee000d
Instruction Fuzzy Hash: 7E11A522F18F0E4FF758EB6998692787391FF54362F40467AD10EE3193DE29B4468281

Function 00007FFD33C59141 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786e104c35f9d59d13c4f0b989b900cac67feca1e42148f10c9274d67e5d7b7a
Instruction ID: cbd59001f9185d5e92a3c1c82f322505fb4681ae572e297e4b10ef4cf991936c
Opcode Fuzzy Hash: 786e104c35f9d59d13c4f0b989b900cac67feca1e42148f10c9274d67e5d7b7a
Instruction Fuzzy Hash: 02219011B2CA994BFB55B7AC98367E9B7D6EB58300F5402B9E10CE32D7CD1C6840879A

Function 00007FFD33C52A6A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988f9e93fa7306ebc8e06b3a746e8bc530bc83f2080f635ed86b1a0a96ba0dd3
Instruction ID: 4a6e88dd5d7ac29b41543f72d9da416c2d518d38c73c6d1bb797eee64b02bebe
Opcode Fuzzy Hash: 988f9e93fa7306ebc8e06b3a746e8bc530bc83f2080f635ed86b1a0a96ba0dd3
Instruction Fuzzy Hash: 4511F111718A1947FA5472ED94627FEA2CBDFE8340F544175E00DE32EBCC5CAC4157AA

Function 00007FFD33C512C1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724f33368ff332f35fdbc808a2ad2899e8975901a7a88e50018b27bda7687326
Instruction ID: f1a210c63550f14ef815aff161b4414e44ad6a7a20cfaf0207c0206e4fec460f
Opcode Fuzzy Hash: 724f33368ff332f35fdbc808a2ad2899e8975901a7a88e50018b27bda7687326
Instruction Fuzzy Hash: CE11D611F0D7920BFB16777A4A361BC3BA2AF92350F8801B6D14CEA0D7DD1CA8569352

Function 00007FFD33C5137D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7462470fdd928969441eda304176b50fa74c8dbfed3373675f72ed37abf3f8a6
Instruction ID: ca6542240700eae04dd1c022ed18a24b1ef63f1dd3b25d277dd94a0721b3428d
Opcode Fuzzy Hash: 7462470fdd928969441eda304176b50fa74c8dbfed3373675f72ed37abf3f8a6
Instruction Fuzzy Hash: B811C47190868C8FEB5DEF6888A92B97FE1EB69204F0441FFD44DE76A5DA3960018710

Function 00007FFD33C59BCD Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a520b2020e3bb02823fc0cf564ca0c32db9c44b8c890d3c799c10a4cdad2bad
Instruction ID: 27ae7c5ed64ef8d283b66d8fd7cb1a8fdb30751a9a5e1a29917add0fed836d68
Opcode Fuzzy Hash: 5a520b2020e3bb02823fc0cf564ca0c32db9c44b8c890d3c799c10a4cdad2bad
Instruction Fuzzy Hash: 1311CE25A4F7C65FEB57277508200AABFA0DF43214B4809FBD08DDB093C90C180AD382

Function 00007FFD33C57DF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d371e04acc7843e6ce25be4b30758f4640546725845eb650212644671bc2db5f
Instruction ID: e9a819c383f568e6598badf45dbaa00f5ad4c061ad87c20998abb23e54ee802c
Opcode Fuzzy Hash: d371e04acc7843e6ce25be4b30758f4640546725845eb650212644671bc2db5f
Instruction Fuzzy Hash: B801F572E09B8D4FDB51EBA8886A1FD7BF0FF19311F0501BBD118D7193DA28A9458391

Function 00007FFD33C5141D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119aebdbe338c39dca2edffe158322ea2e6e2f690de757a5c9dcb41a57a1fa2
Instruction ID: 4c43a22c4d596cdf3dd58d541bd256742f6cdb70c2901d2b425adfa54974309a
Opcode Fuzzy Hash: 4119aebdbe338c39dca2edffe158322ea2e6e2f690de757a5c9dcb41a57a1fa2
Instruction Fuzzy Hash: D9014411F0E3C64FFBA5B6B904752BD3A82AF54300F8804B8D14EE72C3DE1CA8818351

Function 00007FFD33C51328 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f608d65567ddc94cab64527543ae10fef19645af37bbfc54c1707de57e8f2cd4
Instruction ID: 67877895e104abb9d357f5e4197b02c11d8522d203ccf8a0545b822f3dde521e
Opcode Fuzzy Hash: f608d65567ddc94cab64527543ae10fef19645af37bbfc54c1707de57e8f2cd4
Instruction Fuzzy Hash: 17F0D131E0C6028BF72AEB2A826857C33A1ABA5310F400274C11DE31D2DE2CB4519340

Function 00007FFD33C51141 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0eac84339e91c58bf295312a2f8dd260f43e8638bdcfea81006ebc18f76fbb
Instruction ID: 70da471f2932b015cf0f0e5aac517d7ec563783dd214ecf46fcfbd230290c647
Opcode Fuzzy Hash: da0eac84339e91c58bf295312a2f8dd260f43e8638bdcfea81006ebc18f76fbb
Instruction Fuzzy Hash: 9CE02B3286938C4FE7425F7058221DF7B64FF51200F4505CBF80CC7052EB20A6188383

Function 00007FFD33C51284 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99e8a0eab242b58f01cf7c20eb0b93f27f7ce12ab3ddc88612fa4f0bd6b355
Instruction ID: 43c6fdcbe4be9119bd64f7a8d407a306ba5f69fba61ac9aee84ca68c95912f4f
Opcode Fuzzy Hash: 9f99e8a0eab242b58f01cf7c20eb0b93f27f7ce12ab3ddc88612fa4f0bd6b355
Instruction Fuzzy Hash: CFD01241C5E2C60AE70B22B90D665987F908A131A0F8942D1E458D74D3DC4D649A9276

Function 00007FFD33C59C25 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c8721d138258d029b8e975c1503b7963f114bf61c6bd56f109128a4b8b2390
Instruction ID: 24f500b675eac57efbc4ee38daf8d5742de14fd2c9812ebbaa264c553faa163d
Opcode Fuzzy Hash: 52c8721d138258d029b8e975c1503b7963f114bf61c6bd56f109128a4b8b2390
Instruction Fuzzy Hash: F2E0C2B280E7CE4FEB136B250D211D9BFB0FE53200F4905DBE5ACC60A3D55951298383

Function 00007FFD33C50795 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction ID: e83592c3dca5969ca18a4500ddcb0ab49b2e9a0fe755bf9796748d5648731af7
Opcode Fuzzy Hash: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction Fuzzy Hash: CAB09200F7A99604A808327A0A660ACBB609B8A124FD408F0E58C90082D94E14A66282

Non-executed Functions

Function 00007FFD33C5ACB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4633501710.00007FFD33C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd33c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae3bcb333e47c70a3149099ce9f7bf83d441a387f1f42784281ba88af65187a
Instruction ID: 6f2929bcf7db572250624ddb068725027a118bfdf34bf7e6fc564a746804262c
Opcode Fuzzy Hash: 4ae3bcb333e47c70a3149099ce9f7bf83d441a387f1f42784281ba88af65187a
Instruction Fuzzy Hash: 6971EB2064F7C54FE343A3399868AA97F91AF83325F0D41FBE08DCE4A3DA995406C752

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe