Edit tour

Windows Analysis Report
17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe

Overview

General Information

Sample name:17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
Analysis ID:1569842
MD5:c8406a867e34927d2548617585974093
SHA1:063c29b27e011c88badf9caa46b98bbf29881552
SHA256:9725cb27377a320cb84dee9c2c97a2d7decf3700907d159919f9d6c9929c0f20
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
{
  "C2 url": [
    "87.120.116.179"
  ],
  "Port": 1300,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7acd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7be2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76de:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7830:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74de:$cnc4: POST / HTTP/1.1
      00000000.00000002.4134680347.00000000030F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe PID: 7312JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe.ee0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe.ee0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7a30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7acd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7be2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76de:$cnc4: POST / HTTP/1.1
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:45:10.012561+010020283713Unknown Traffic192.168.2.44973620.42.65.92443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:45:20.237526+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:45:22.870232+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:45:34.309199+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:45:48.403113+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:45:52.887469+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:02.639083+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:13.402380+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:13.562024+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:13.724184+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:13.876027+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:22.869345+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:27.767485+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:33.979100+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:36.452951+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:40.276703+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:44.137052+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:52.902883+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:54.418333+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:59.063572+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:59.417186+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:59.773008+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:00.473181+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:09.449488+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:16.143283+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:16.334308+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:16.457414+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:19.544350+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:21.526502+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:21.718667+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:21.840787+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:22.465356+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:22.907378+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:23.108367+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:25.714803+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:29.092532+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:41.762165+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:41.954174+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:42.077023+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:46.902252+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:47.094156+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:52.199422+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:52.363559+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:52.951124+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:57.449464+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:57.641728+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:57.763339+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:03.034445+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:07.939322+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:08.131093+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:08.254189+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:08.322968+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:15.126432+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:16.312336+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:18.183822+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:18.342394+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:18.505216+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:19.824741+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:20.360184+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:22.936353+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:23.605547+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:28.481776+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:28.673621+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:29.699284+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:33.605831+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:34.857856+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:38.028728+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:45.012283+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:50.625045+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:52.938051+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:53.966851+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:54.158946+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:55.590414+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:49:07.778575+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:49:21.871580+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:49:22.960803+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:45:20.288983+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:45:34.311152+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:45:48.405595+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:02.641232+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:13.411872+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:13.563967+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:13.726688+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:13.888252+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:27.769536+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:33.988588+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:36.455715+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:40.284552+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:44.139066+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:54.420364+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:59.065599+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:59.367937+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:46:59.680450+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:00.289979+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:09.451846+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:16.145186+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:16.335935+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:16.459198+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:19.546498+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:21.528755+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:21.720390+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:21.842659+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:22.468717+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:23.110030+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:25.726058+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:29.273081+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:41.765210+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:41.956201+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:42.081413+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:46.904504+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:47.096237+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:52.204403+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:52.369057+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:52.518040+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:57.451448+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:57.643532+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:47:57.765339+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:03.040925+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:07.942054+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:08.138182+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:08.269111+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:08.389111+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:15.129377+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:16.315944+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:18.192988+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:18.344169+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:18.752539+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:19.826458+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:20.363527+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:23.608404+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:28.484139+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:28.676030+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:29.703199+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:33.608108+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:34.869441+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:38.030315+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:45.016030+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:50.628005+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:53.968753+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:54.160638+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:48:55.597858+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:49:07.779320+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            2024-12-06T10:49:21.872515+010028529231Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:45:22.870232+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:45:52.887469+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:22.869345+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:46:52.902883+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:22.907378+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:47:52.951124+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:22.936353+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:48:52.938051+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            2024-12-06T10:49:22.960803+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449735TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:47:41.368508+010028531931Malware Command and Control Activity Detected192.168.2.44973587.120.116.1791300TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeAvira: detected
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeReversingLabs: Detection: 84%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeJoe Sandbox ML: detected
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeString decryptor: 87.120.116.179
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeString decryptor: 1300
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeString decryptor: <123456789>
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeString decryptor: 04-12-24
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeString decryptor: USB.exe
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49735 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.4:49735
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49735 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.4:49735
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49735 -> 87.120.116.179:1300
            Source: Malware configuration extractorURLs: 87.120.116.179
            Source: global trafficTCP traffic: 192.168.2.4:49735 -> 87.120.116.179:1300
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 20.42.65.92:443
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, 00000000.00000002.4134680347.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeCode function: 0_2_00007FFD9A40A6A40_2_00007FFD9A40A6A4
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeCode function: 0_2_00007FFD9A4074D20_2_00007FFD9A4074D2
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeCode function: 0_2_00007FFD9A4067260_2_00007FFD9A406726
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, 00000000.00000002.4134323590.000000000139C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, 00000000.00000000.1680333668.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevivir.exe4 vs 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeBinary or memory string: OriginalFilenamevivir.exe4 vs 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\r7O2tFE3Q2xbyr2S
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeCode function: 0_2_00007FFD9A402962 pushad ; retf 0_2_00007FFD9A4029E1
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeCode function: 0_2_00007FFD9A4029E2 push eax; iretd 0_2_00007FFD9A402A21
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMemory allocated: 1B0F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeWindow / User API: threadDelayed 9282Jump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeWindow / User API: threadDelayed 544Jump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe TID: 7436Thread sleep time: -23980767295822402s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe TID: 7440Thread sleep count: 9282 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe TID: 7440Thread sleep count: 544 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, 00000000.00000002.4136972598.000000001C050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4134680347.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe PID: 7312, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4134680347.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe PID: 7312, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            1
            Input Capture
            211
            Security Software Discovery
            Remote Services1
            Input Capture
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop Protocol11
            Archive Collected Data
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account Manager232
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing
            LSA Secrets13
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569842 Sample: 17334769266ba75a70859e94894... Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 10 other signatures 2->17 5 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe 2 2->5         started        process3 dnsIp4 9 87.120.116.179, 1300, 49735 UNACS-AS-BG8000BurgasBG Bulgaria 5->9 19 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 5->19 21 Found potential dummy code loops (likely to delay analysis) 5->21 signatures5

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe100%AviraTR/Spy.Gen
            17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            87.120.116.1790%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            87.120.116.179true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe, 00000000.00000002.4134680347.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              87.120.116.179
              unknownBulgaria
              25206UNACS-AS-BG8000BurgasBGtrue
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1569842
              Start date and time:2024-12-06 10:44:09 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 16s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 5
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 93.184.221.240
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
              TimeTypeDescription
              04:45:04API Interceptor14086343x Sleep call for process: 17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe modified
              No context
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              UNACS-AS-BG8000BurgasBGyIla7SeJ6r.docGet hashmaliciousXenoRATBrowse
              • 87.120.120.27
              gjot5vxpIC.exeGet hashmaliciousXenoRATBrowse
              • 87.120.120.27
              file.exeGet hashmaliciousAmadey, AsyncRAT, Stealc, VidarBrowse
              • 87.120.125.31
              po4877383.exeGet hashmaliciousRedLineBrowse
              • 87.120.120.86
              e824975.htmlGet hashmaliciousUnknownBrowse
              • 87.120.114.172
              qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
              • 87.120.125.217
              RFQ LIST 767655776478637584637865763478634365634444444444444444453.exeGet hashmaliciousGuLoaderBrowse
              • 87.120.114.159
              New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
              • 87.120.114.159
              file.exeGet hashmaliciousAsyncRAT, XWormBrowse
              • 87.120.113.179
              No context
              No context
              No created / dropped files found
              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.609837847610175
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
              File size:36'864 bytes
              MD5:c8406a867e34927d2548617585974093
              SHA1:063c29b27e011c88badf9caa46b98bbf29881552
              SHA256:9725cb27377a320cb84dee9c2c97a2d7decf3700907d159919f9d6c9929c0f20
              SHA512:035a1a8b0b3954dd94bc06afd6fe3406a087da0daa83bdd4dfe1b6496b9c7e4cf4e020110a000b8a955e4d768ecd7e9e6797d8ff5a2432df4cbea9482d785408
              SSDEEP:768:kL13A5Uno9RfHWa2BLTeo8icH1bxbFb9E2OMhJQXvv:ixA5Uno9JHWXHeNicH1bBFb9E2OMH6v
              TLSH:44F24B48BBA04216D9ED6BF4A97372020274D613D917EB4E4CD48ADB6F23BC08D513EA
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....IPg................................. ........@.. ....................................@................................
              Icon Hash:90cececece8e8eb0
              Entrypoint:0x40a5de
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x6750490C [Wed Dec 4 12:20:28 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa5900x4b.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x85e40x8600d3f56dee6c09309eed278f2ef1c580adFalse0.49897971082089554data5.746421584021758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xc0000x4d00x600cf5ebb40b8bed86b9818d45ec3dc9abdFalse0.3736979166666667data3.6896378340282547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xe0000xc0x2000a3a083968c42d8366b2de0e8564a094False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0xc0a00x23cdata0.4772727272727273
              RT_MANIFEST0xc2e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
              DLLImport
              mscoree.dll_CorExeMain

              Download Network PCAP: filteredfull

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-12-06T10:45:10.012561+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973620.42.65.92443TCP
              2024-12-06T10:45:19.843682+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:45:20.237526+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:45:20.288983+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:45:22.870232+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:45:22.870232+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:45:34.309199+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:45:34.311152+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:45:48.403113+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:45:48.405595+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:45:52.887469+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:45:52.887469+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:02.639083+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:02.641232+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:13.402380+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:13.411872+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:13.562024+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:13.563967+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:13.724184+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:13.726688+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:13.876027+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:13.888252+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:22.869345+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:22.869345+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:27.767485+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:27.769536+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:33.979100+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:33.988588+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:36.452951+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:36.455715+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:40.276703+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:40.284552+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:44.137052+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:44.139066+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:52.902883+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:52.902883+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:54.418333+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:54.420364+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:59.063572+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:59.065599+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:59.367937+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:59.417186+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:46:59.680450+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:46:59.773008+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:00.289979+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:00.473181+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:09.449488+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:09.451846+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:16.143283+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:16.145186+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:16.334308+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:16.335935+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:16.457414+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:16.459198+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:19.544350+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:19.546498+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:21.526502+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:21.528755+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:21.718667+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:21.720390+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:21.840787+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:21.842659+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:22.465356+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:22.468717+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:22.907378+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:22.907378+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:23.108367+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:23.110030+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:25.714803+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:25.726058+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:29.092532+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:29.273081+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:41.368508+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:41.762165+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:41.765210+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:41.954174+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:41.956201+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:42.077023+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:42.081413+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:46.902252+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:46.904504+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:47.094156+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:47.096237+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:52.199422+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:52.204403+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:52.363559+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:52.369057+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:52.518040+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:52.951124+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:52.951124+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:57.449464+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:57.451448+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:57.641728+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:57.643532+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:47:57.763339+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:47:57.765339+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:03.034445+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:03.040925+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:07.939322+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:07.942054+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:08.131093+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:08.138182+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:08.254189+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:08.269111+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:08.322968+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:08.389111+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:15.126432+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:15.129377+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:16.312336+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:16.315944+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:18.183822+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:18.192988+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:18.342394+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:18.344169+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:18.505216+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:18.752539+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:19.824741+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:19.826458+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:20.360184+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:20.363527+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:22.936353+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:22.936353+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:23.605547+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:23.608404+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:28.481776+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:28.484139+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:28.673621+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:28.676030+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:29.699284+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:29.703199+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:33.605831+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:33.608108+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:34.857856+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:34.869441+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:38.028728+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:38.030315+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:45.012283+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:45.016030+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:50.625045+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:50.628005+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:52.938051+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:52.938051+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:53.966851+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:53.968753+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:54.158946+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:54.160638+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:48:55.590414+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:48:55.597858+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:49:07.778575+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:49:07.779320+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:49:21.871580+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:49:21.872515+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973587.120.116.1791300TCP
              2024-12-06T10:49:22.960803+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449735TCP
              2024-12-06T10:49:22.960803+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449735TCP
              TimestampSource PortDest PortSource IPDest IP
              Dec 6, 2024 10:45:05.186167955 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:05.306550980 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:05.306648970 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:05.738723040 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:05.858526945 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:19.843682051 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:19.963715076 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:20.237525940 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:20.288983107 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:20.409085035 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:22.870232105 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:22.918912888 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:33.914980888 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:34.034883976 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:34.309199095 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:34.311151981 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:34.431222916 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:48.008822918 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:48.128803968 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:48.403112888 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:48.405595064 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:45:48.525791883 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:52.887469053 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:45:52.930049896 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:02.246356964 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:02.366173029 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:02.639082909 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:02.641232014 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:02.761806011 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.008929014 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:13.129084110 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.129143953 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:13.249716997 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.249948978 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:13.369836092 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.402379990 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.411871910 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:13.562024117 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.563966990 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:13.724184036 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.726687908 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:13.876027107 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:13.888252020 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:14.049182892 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:22.869344950 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:22.914593935 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:27.243412971 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:27.363166094 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:27.767484903 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:27.769536018 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:27.889362097 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:33.586899996 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:33.706589937 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:33.979099989 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:33.988588095 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:34.108608961 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:36.059278965 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:36.179469109 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:36.452950954 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:36.455714941 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:36.575560093 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:39.883794069 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:40.003727913 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:40.276702881 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:40.284552097 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:40.404437065 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:43.743320942 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:43.863301039 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:44.137052059 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:44.139065981 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:44.258941889 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:52.902883053 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:52.946005106 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:54.024393082 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:54.144891977 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:54.418333054 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:54.420363903 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:54.541729927 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:58.667418957 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:58.787292004 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:59.063571930 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:59.065598965 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:59.367937088 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:59.417186022 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:59.417237997 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:59.680449963 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:46:59.773008108 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:46:59.773083925 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:00.289978981 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:00.473181009 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:00.473825932 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:00.651269913 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:00.771188974 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:00.771524906 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:00.892559052 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:09.055834055 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:09.176001072 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:09.449487925 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:09.451845884 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:09.571563959 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:15.748862028 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:15.868773937 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:15.899707079 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:16.019608974 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.022021055 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:16.142059088 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.143282890 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.145185947 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:16.313008070 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.334307909 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.335935116 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:16.455915928 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.457413912 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:16.459197998 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:16.620971918 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:19.150639057 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:19.271411896 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:19.544349909 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:19.546498060 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:19.666583061 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.134125948 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:21.253855944 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.253921986 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:21.373634100 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.526501894 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.528754950 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:21.648647070 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.718667030 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.720390081 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:21.840786934 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.842255116 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:21.842658997 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:21.962565899 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:22.071508884 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:22.191566944 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:22.465356112 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:22.468717098 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:22.588489056 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:22.715538979 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:22.835527897 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:22.907377958 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:22.961821079 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:23.108366966 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:23.110029936 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:23.229948044 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:25.321643114 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:25.441330910 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:25.714802980 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:25.726058006 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:25.845925093 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:28.699567080 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:28.819417000 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:29.092531919 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:29.139988899 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:29.273081064 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:29.393006086 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:41.368508101 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:41.488224030 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:41.488292933 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:41.608093023 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:41.762165070 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:41.765209913 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:41.884985924 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:41.954174042 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:41.956201077 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:42.075941086 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:42.077023029 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:42.081413031 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:42.244812012 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:46.509144068 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:46.628983021 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:46.629065990 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:46.748944998 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:46.902251959 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:46.904504061 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:47.024844885 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:47.094156027 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:47.096236944 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:47.216108084 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:51.806175947 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:51.925874949 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:51.925935984 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.045588970 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.051687002 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.171717882 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.199421883 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.204402924 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.363559008 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.369056940 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.516213894 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.518039942 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.680814981 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.680875063 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.681824923 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.802202940 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.802403927 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:52.922161102 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.951123953 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:52.995703936 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:57.056154966 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:57.217859030 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.217911959 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:57.338135004 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.449464083 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.451447964 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:57.571254969 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.641727924 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.643532038 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:57.763283014 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.763339043 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:47:57.765338898 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:47:57.928839922 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:02.639758110 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:02.759607077 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:03.034445047 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:03.040925026 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:03.160695076 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:07.493711948 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:07.613665104 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:07.613714933 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:07.733819962 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:07.733874083 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:07.853730917 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:07.939321995 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:07.942054033 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:08.061898947 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:08.131093025 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:08.138181925 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:08.254189014 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:08.258013010 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:08.269110918 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:08.322968006 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:08.368455887 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:08.389014959 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:08.389111042 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:08.509263992 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:14.731827974 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:14.851886988 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:15.126431942 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:15.129376888 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:15.249219894 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:15.917193890 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:16.037113905 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:16.312335968 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:16.315943956 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:16.435825109 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:17.790541887 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:17.910288095 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:17.910342932 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:18.030004978 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:18.030072927 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:18.149851084 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:18.183821917 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:18.192987919 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:18.342394114 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:18.344168901 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:18.505215883 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:18.555902004 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:18.752538919 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:18.912877083 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:19.431268930 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:19.551178932 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:19.824740887 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:19.826457977 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:19.946203947 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:19.946284056 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:20.066220045 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:20.360183954 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:20.363527060 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:20.483381033 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:22.936352968 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:22.993417978 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:23.212667942 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:23.332529068 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:23.605546951 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:23.608403921 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:23.728775024 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:28.087753057 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:28.207899094 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:28.207989931 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:28.330106974 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:28.481775999 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:28.484138966 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:28.604140043 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:28.673620939 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:28.676029921 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:28.795805931 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:29.306423903 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:29.426429033 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:29.699284077 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:29.703198910 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:29.823060989 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:33.212765932 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:33.333093882 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:33.605830908 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:33.608108044 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:33.727932930 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:34.463936090 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:34.584708929 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:34.857856035 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:34.869441032 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:34.989300966 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:37.634497881 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:37.754292011 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:38.028728008 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:38.030314922 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:38.150254011 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:44.618890047 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:44.738696098 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:45.012283087 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:45.016030073 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:45.135766029 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:50.232011080 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:50.351932049 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:50.625045061 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:50.628005028 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:50.748209000 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:52.938050985 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:52.994214058 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:53.572060108 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:53.693777084 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:53.693840027 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:53.813699007 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:53.966850996 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:53.968753099 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:54.090375900 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:54.158946037 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:54.160638094 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:54.283411026 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:55.197129011 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:55.317107916 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:55.590414047 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:48:55.597857952 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:48:55.717677116 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:07.384638071 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:49:07.504575968 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:07.778574944 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:07.779320002 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:49:07.899149895 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:21.478472948 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:49:21.598882914 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:21.871579885 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:21.872514963 CET497351300192.168.2.487.120.116.179
              Dec 6, 2024 10:49:21.992491007 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:22.960803032 CET13004973587.120.116.179192.168.2.4
              Dec 6, 2024 10:49:23.009422064 CET497351300192.168.2.487.120.116.179
              • File
              • Registry
              • Network

              Click to dive into process behavior distribution

              Target ID:0
              Start time:04:45:00
              Start date:06/12/2024
              Path:C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe"
              Imagebase:0xee0000
              File size:36'864 bytes
              MD5 hash:C8406A867E34927D2548617585974093
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1680317158.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4134680347.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Execution Graph

              Execution Coverage

              Dynamic/Packed Code Coverage

              Signature Coverage

              Execution Coverage:20.6%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:3
              Total number of Limit Nodes:0
              Show Legend
              Hide Nodes/Edges
              execution_graph 3901 7ffd9a4014da 3902 7ffd9a401c20 SetWindowsHookExW 3901->3902 3904 7ffd9a401cd1 3902->3904

              Executed Functions

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 7ffd9a40a6a4-7ffd9a40a6b0 call 7ffd9a4005c0 2 7ffd9a40a6b5-7ffd9a40a700 0->2 7 7ffd9a40a702-7ffd9a40a71f 2->7 8 7ffd9a40a776 2->8 9 7ffd9a40a77b-7ffd9a40a790 7->9 11 7ffd9a40a721-7ffd9a40a771 call 7ffd9a409370 7->11 8->9 13 7ffd9a40a792-7ffd9a40a7a4 call 7ffd9a4005d0 9->13 14 7ffd9a40a7a9-7ffd9a40a7be 9->14 33 7ffd9a40b349-7ffd9a40b357 11->33 13->33 20 7ffd9a40a7c0-7ffd9a40a7ec 14->20 21 7ffd9a40a7f1-7ffd9a40a806 14->21 20->33 27 7ffd9a40a808-7ffd9a40a814 call 7ffd9a408350 21->27 28 7ffd9a40a819-7ffd9a40a82e 21->28 27->33 37 7ffd9a40a830-7ffd9a40a833 28->37 38 7ffd9a40a874-7ffd9a40a889 28->38 37->8 39 7ffd9a40a839-7ffd9a40a844 37->39 42 7ffd9a40a8ca-7ffd9a40a8df 38->42 43 7ffd9a40a88b-7ffd9a40a88e 38->43 39->8 41 7ffd9a40a84a-7ffd9a40a86f call 7ffd9a4005a8 call 7ffd9a408350 39->41 41->33 50 7ffd9a40a8e1-7ffd9a40a8e4 42->50 51 7ffd9a40a90c-7ffd9a40a921 42->51 43->8 45 7ffd9a40a894-7ffd9a40a89f 43->45 45->8 48 7ffd9a40a8a5-7ffd9a40a8c5 call 7ffd9a4005a8 call 7ffd9a402860 45->48 48->33 50->8 53 7ffd9a40a8ea-7ffd9a40a907 call 7ffd9a4005a8 call 7ffd9a402868 50->53 58 7ffd9a40aa0d-7ffd9a40aa22 51->58 59 7ffd9a40a927-7ffd9a40a987 call 7ffd9a400530 51->59 53->33 68 7ffd9a40aa41-7ffd9a40aa56 58->68 69 7ffd9a40aa24-7ffd9a40aa27 58->69 59->8 101 7ffd9a40a98d-7ffd9a40a9b3 59->101 78 7ffd9a40aa78-7ffd9a40aa8d 68->78 79 7ffd9a40aa58-7ffd9a40aa5b 68->79 69->8 72 7ffd9a40aa2d-7ffd9a40aa35 69->72 74 7ffd9a40aa37-7ffd9a40aa3c call 7ffd9a402840 72->74 74->33 86 7ffd9a40aaad-7ffd9a40aac2 78->86 87 7ffd9a40aa8f-7ffd9a40aaa8 78->87 79->8 82 7ffd9a40aa61-7ffd9a40aa73 call 7ffd9a402840 79->82 82->33 92 7ffd9a40aae2-7ffd9a40aaf7 86->92 93 7ffd9a40aac4-7ffd9a40aadd 86->93 87->33 98 7ffd9a40ab17-7ffd9a40ab2c 92->98 99 7ffd9a40aaf9-7ffd9a40ab12 92->99 93->33 105 7ffd9a40ab2e-7ffd9a40ab31 98->105 106 7ffd9a40ab55-7ffd9a40ab6a 98->106 99->33 114 7ffd9a40a9b5-7ffd9a40a9c5 call 7ffd9a408360 101->114 115 7ffd9a40a9db-7ffd9a40a9ea 101->115 105->8 107 7ffd9a40ab37-7ffd9a40ab50 105->107 112 7ffd9a40ab70-7ffd9a40abbf 106->112 113 7ffd9a40ac0a-7ffd9a40ac1f 106->113 107->33 136 7ffd9a40abc1-7ffd9a40abd1 112->136 137 7ffd9a40abd5-7ffd9a40abe8 112->137 121 7ffd9a40ac21-7ffd9a40ac32 113->121 122 7ffd9a40ac37-7ffd9a40ac4c 113->122 114->8 125 7ffd9a40a9cb-7ffd9a40a9d9 call 7ffd9a408370 114->125 115->74 124 7ffd9a40a9ec-7ffd9a40aa08 115->124 121->33 132 7ffd9a40ac52-7ffd9a40acca 122->132 133 7ffd9a40acec-7ffd9a40ad01 122->133 124->33 125->115 132->8 164 7ffd9a40acd0-7ffd9a40ace7 132->164 140 7ffd9a40ad03-7ffd9a40ad14 133->140 141 7ffd9a40ad19-7ffd9a40ad2e 133->141 136->137 137->8 145 7ffd9a40abee-7ffd9a40ac05 137->145 140->33 150 7ffd9a40ad6f-7ffd9a40ad84 141->150 151 7ffd9a40ad30-7ffd9a40ad6a call 7ffd9a400ec0 call 7ffd9a409370 141->151 145->33 158 7ffd9a40ad8a-7ffd9a40ae26 call 7ffd9a400ec0 call 7ffd9a409370 150->158 159 7ffd9a40ae2b-7ffd9a40ae40 150->159 151->33 158->33 166 7ffd9a40aece-7ffd9a40aee3 159->166 167 7ffd9a40ae46-7ffd9a40ae49 159->167 164->33 176 7ffd9a40aee5-7ffd9a40aef2 call 7ffd9a409370 166->176 177 7ffd9a40aef7-7ffd9a40af0c 166->177 169 7ffd9a40aec3-7ffd9a40aec8 167->169 170 7ffd9a40ae4b-7ffd9a40ae56 167->170 184 7ffd9a40aec9 169->184 170->169 174 7ffd9a40ae58-7ffd9a40aec1 call 7ffd9a400ec0 call 7ffd9a409370 170->174 174->184 176->33 188 7ffd9a40af4d-7ffd9a40af62 177->188 189 7ffd9a40af0e-7ffd9a40af48 call 7ffd9a400ec0 call 7ffd9a409370 177->189 184->33 196 7ffd9a40afed-7ffd9a40b002 188->196 197 7ffd9a40af68-7ffd9a40af79 188->197 189->33 205 7ffd9a40b042-7ffd9a40b057 196->205 206 7ffd9a40b004-7ffd9a40b007 196->206 197->8 208 7ffd9a40af7f-7ffd9a40af8f call 7ffd9a4005a0 197->208 219 7ffd9a40b09d-7ffd9a40b0b2 205->219 220 7ffd9a40b059-7ffd9a40b098 call 7ffd9a409030 call 7ffd9a407f30 call 7ffd9a402820 205->220 206->8 210 7ffd9a40b00d-7ffd9a40b03d call 7ffd9a400598 call 7ffd9a4005a8 call 7ffd9a402818 206->210 221 7ffd9a40af91-7ffd9a40afc6 call 7ffd9a409370 208->221 222 7ffd9a40afcb-7ffd9a40afe8 call 7ffd9a4005a0 call 7ffd9a4005a8 call 7ffd9a402818 208->222 210->33 237 7ffd9a40b0b4-7ffd9a40b117 call 7ffd9a400ec0 call 7ffd9a409370 219->237 238 7ffd9a40b11c-7ffd9a40b131 219->238 220->33 221->33 222->33 237->33 238->33 258 7ffd9a40b137-7ffd9a40b168 238->258 258->33
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.4137676220.00007FFD9A400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9a400000_17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff566.jbxd
              Similarity
              • API ID:
              • String ID: xK_H
              • API String ID: 0-3055861111
              • Opcode ID: 822519dae5ddd3d0be4119a75187de5fb1f8ba8f0f95b822a0d731a9dd81c678
              • Instruction ID: f55bb954ac9b8678e6b59f6baef12aaed6f6d13875c10409e83c9409894b68b5
              • Opcode Fuzzy Hash: 822519dae5ddd3d0be4119a75187de5fb1f8ba8f0f95b822a0d731a9dd81c678
              • Instruction Fuzzy Hash: BD624031B289294FEBA8F778C475A7973D6EF98314B5045B9D41EC32CADE2CE8429740

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 498 7ffd9a406726-7ffd9a406733 499 7ffd9a406735-7ffd9a40673d 498->499 500 7ffd9a40673e-7ffd9a406807 498->500 499->500 504 7ffd9a406809-7ffd9a406812 500->504 505 7ffd9a406873 500->505 504->505 507 7ffd9a406814-7ffd9a406820 504->507 506 7ffd9a406875-7ffd9a40689a 505->506 514 7ffd9a40689c-7ffd9a4068a5 506->514 515 7ffd9a406906 506->515 508 7ffd9a406859-7ffd9a406871 507->508 509 7ffd9a406822-7ffd9a406834 507->509 508->506 510 7ffd9a406838-7ffd9a40684b 509->510 511 7ffd9a406836 509->511 510->510 513 7ffd9a40684d-7ffd9a406855 510->513 511->510 513->508 514->515 517 7ffd9a4068a7-7ffd9a4068b3 514->517 516 7ffd9a406908-7ffd9a4069b0 515->516 528 7ffd9a4069b2-7ffd9a4069bc 516->528 529 7ffd9a406a1e 516->529 518 7ffd9a4068ec-7ffd9a406904 517->518 519 7ffd9a4068b5-7ffd9a4068c7 517->519 518->516 521 7ffd9a4068cb-7ffd9a4068de 519->521 522 7ffd9a4068c9 519->522 521->521 524 7ffd9a4068e0-7ffd9a4068e8 521->524 522->521 524->518 528->529 531 7ffd9a4069be-7ffd9a4069cb 528->531 530 7ffd9a406a20-7ffd9a406a49 529->530 537 7ffd9a406a4b-7ffd9a406a56 530->537 538 7ffd9a406ab3 530->538 532 7ffd9a406a04-7ffd9a406a1c 531->532 533 7ffd9a4069cd-7ffd9a4069df 531->533 532->530 535 7ffd9a4069e3-7ffd9a4069f6 533->535 536 7ffd9a4069e1 533->536 535->535 539 7ffd9a4069f8-7ffd9a406a00 535->539 536->535 537->538 540 7ffd9a406a58-7ffd9a406a66 537->540 541 7ffd9a406ab5-7ffd9a406b46 538->541 539->532 542 7ffd9a406a68-7ffd9a406a7a 540->542 543 7ffd9a406a9f-7ffd9a406ab1 540->543 549 7ffd9a406b4c-7ffd9a406b5b 541->549 544 7ffd9a406a7c 542->544 545 7ffd9a406a7e-7ffd9a406a91 542->545 543->541 544->545 545->545 547 7ffd9a406a93-7ffd9a406a9b 545->547 547->543 550 7ffd9a406b63-7ffd9a406bc8 call 7ffd9a406be4 549->550 551 7ffd9a406b5d 549->551 558 7ffd9a406bca 550->558 559 7ffd9a406bcf-7ffd9a406be3 550->559 551->550 558->559
              Memory Dump Source
              • Source File: 00000000.00000002.4137676220.00007FFD9A400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9a400000_17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff566.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5553a3da9459aa5648f404273727946bba4d2f240165b788173bf45072e63ddb
              • Instruction ID: b36cdb56ef2b8e8dec0a3b8349f7837acb41674a4403c8b73448e8963a00586a
              • Opcode Fuzzy Hash: 5553a3da9459aa5648f404273727946bba4d2f240165b788173bf45072e63ddb
              • Instruction Fuzzy Hash: CCF1E731A08A9D8FEBA8DF28C8557E977E1FF54310F00426EE84EC7295CF7499458B82

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 560 7ffd9a4074d2-7ffd9a4074df 561 7ffd9a4074ea-7ffd9a4075b7 560->561 562 7ffd9a4074e1-7ffd9a4074e9 560->562 566 7ffd9a4075b9-7ffd9a4075c2 561->566 567 7ffd9a407623 561->567 562->561 566->567 568 7ffd9a4075c4-7ffd9a4075d0 566->568 569 7ffd9a407625-7ffd9a40764a 567->569 570 7ffd9a407609-7ffd9a407621 568->570 571 7ffd9a4075d2-7ffd9a4075e4 568->571 576 7ffd9a40764c-7ffd9a407655 569->576 577 7ffd9a4076b6 569->577 570->569 572 7ffd9a4075e8-7ffd9a4075fb 571->572 573 7ffd9a4075e6 571->573 572->572 575 7ffd9a4075fd-7ffd9a407605 572->575 573->572 575->570 576->577 578 7ffd9a407657-7ffd9a407663 576->578 579 7ffd9a4076b8-7ffd9a4076dd 577->579 580 7ffd9a40769c-7ffd9a4076b4 578->580 581 7ffd9a407665-7ffd9a407677 578->581 586 7ffd9a40774b 579->586 587 7ffd9a4076df-7ffd9a4076e9 579->587 580->579 582 7ffd9a40767b-7ffd9a40768e 581->582 583 7ffd9a407679 581->583 582->582 585 7ffd9a407690-7ffd9a407698 582->585 583->582 585->580 588 7ffd9a40774d-7ffd9a40777b 586->588 587->586 589 7ffd9a4076eb-7ffd9a4076f8 587->589 595 7ffd9a4077eb 588->595 596 7ffd9a40777d-7ffd9a407788 588->596 590 7ffd9a4076fa-7ffd9a40770c 589->590 591 7ffd9a407731-7ffd9a407749 589->591 593 7ffd9a407710-7ffd9a407723 590->593 594 7ffd9a40770e 590->594 591->588 593->593 597 7ffd9a407725-7ffd9a40772d 593->597 594->593 599 7ffd9a4077ed-7ffd9a4078c5 595->599 596->595 598 7ffd9a40778a-7ffd9a407798 596->598 597->591 600 7ffd9a40779a-7ffd9a4077ac 598->600 601 7ffd9a4077d1-7ffd9a4077e9 598->601 609 7ffd9a4078cb-7ffd9a4078da 599->609 602 7ffd9a4077b0-7ffd9a4077c3 600->602 603 7ffd9a4077ae 600->603 601->599 602->602 606 7ffd9a4077c5-7ffd9a4077cd 602->606 603->602 606->601 610 7ffd9a4078dc 609->610 611 7ffd9a4078e2-7ffd9a407944 call 7ffd9a407960 609->611 610->611 618 7ffd9a40794b-7ffd9a40795f 611->618 619 7ffd9a407946 611->619 619->618
              Memory Dump Source
              • Source File: 00000000.00000002.4137676220.00007FFD9A400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9a400000_17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff566.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04c91cd41634b143e4aaa7bc7480a6af892a805c8bcafd82e8f663e2accaf169
              • Instruction ID: c77ace5e2dea87bab5ac3f87cc290df9a6eac01c3bcadf5724135445dee531bd
              • Opcode Fuzzy Hash: 04c91cd41634b143e4aaa7bc7480a6af892a805c8bcafd82e8f663e2accaf169
              • Instruction Fuzzy Hash: 50E1C431A08E8D8FEBA8DF28C8657E97BD1FF54310F04426AD84DC7295CF74A8558B82

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 349 7ffd9a401bf8-7ffd9a401bff 350 7ffd9a401c0a-7ffd9a401c7d 349->350 351 7ffd9a401c01-7ffd9a401c09 349->351 355 7ffd9a401d09-7ffd9a401d0d 350->355 356 7ffd9a401c83-7ffd9a401c88 350->356 351->350 357 7ffd9a401c92-7ffd9a401ccf SetWindowsHookExW 355->357 358 7ffd9a401c8f-7ffd9a401c90 356->358 359 7ffd9a401cd7-7ffd9a401d08 357->359 360 7ffd9a401cd1 357->360 358->357 360->359
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.4137676220.00007FFD9A400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9a400000_17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff566.jbxd
              Similarity
              • API ID: HookWindows
              • String ID:
              • API String ID: 2559412058-0
              • Opcode ID: be3ac5e54c9d91510067ce14752daf0e62a9d630ba0aa6c865dcbb5666bc6eb1
              • Instruction ID: 8777c708e757eb8f80dc9d7c1f69259229cbfbf74bd05df99726bab251d421fe
              • Opcode Fuzzy Hash: be3ac5e54c9d91510067ce14752daf0e62a9d630ba0aa6c865dcbb5666bc6eb1
              • Instruction Fuzzy Hash: 58311730E1CA5D8FDB18EB6CD8166F97BE1EF96321F00427ED00DD3292CE64A8528781

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 363 7ffd9a4014da-7ffd9a401c7d 367 7ffd9a401d09-7ffd9a401d0d 363->367 368 7ffd9a401c83-7ffd9a401c88 363->368 369 7ffd9a401c92-7ffd9a401ccf SetWindowsHookExW 367->369 370 7ffd9a401c8f-7ffd9a401c90 368->370 371 7ffd9a401cd7-7ffd9a401d08 369->371 372 7ffd9a401cd1 369->372 370->369 372->371
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.4137676220.00007FFD9A400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9a400000_17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff566.jbxd
              Similarity
              • API ID: HookWindows
              • String ID:
              • API String ID: 2559412058-0
              • Opcode ID: 36c62fe902f68ee8e0983684dcaa6f6a66147c929973b7d87de690fda16bd4b1
              • Instruction ID: 08785ce22ddc53c84454379f77fcfd52df29953bc4bb4101004c0fc54d19801a
              • Opcode Fuzzy Hash: 36c62fe902f68ee8e0983684dcaa6f6a66147c929973b7d87de690fda16bd4b1
              • Instruction Fuzzy Hash: 1E31C531A1CA1D8FDB58EF5CD8566F9B7E1EB99315F10423EE00ED3292CA70A85287C1