Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe

Overview

General Information

Sample name:17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe
Analysis ID:1569854
MD5:fa58afcb76508132cdd7aa5188b0dd8b
SHA1:09318e1d9c42b50ceb31e589a235b425ff576956
SHA256:551e1481dbb3127c56a805a38512a4767f93f3f309e2adb903120992a10f0819
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7ad1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7be6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76e2:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7834:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74e2:$cnc4: POST / HTTP/1.1
      00000000.00000002.3877099874.0000000002E31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe PID: 7748JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe.b00000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe.b00000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7a34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7ad1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7be6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76e2:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:51:36.589035+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:51:47.051103+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:51:53.002089+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:51:57.609124+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:08.051686+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:18.520284+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:23.027079+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:28.989048+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:30.600532+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:30.910924+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:38.256288+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:38.448012+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:42.457811+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:44.411837+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:53.017023+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:54.506058+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:56.583496+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:59.666190+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:59.857891+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:00.034346+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:10.466692+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:12.053915+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:12.245724+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:12.367915+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:13.863809+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:17.316524+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:20.139951+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:23.012335+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:23.207871+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:33.476831+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:33.669500+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:44.051895+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:45.615267+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:45.807201+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:45.929533+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:51.616959+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:52.914390+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:53.106178+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:00.816727+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:02.545204+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:13.004043+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:14.771057+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:15.804497+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:16.084595+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:20.864423+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:21.098726+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:21.290683+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:21.436864+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:21.524565+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:23.005881+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:24.458462+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:26.348709+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:36.817330+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:38.316806+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:45.040923+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:48.301723+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:52.939594+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:53.131320+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:53.265514+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:56.208541+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:06.416544+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:08.286919+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:08.478760+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:09.366068+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:11.989723+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:21.942434+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:23.012331+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:23.474269+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:28.004918+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:51:36.638514+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:51:47.053788+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:51:57.610928+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:08.055640+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:18.522057+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:29.020853+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:30.637596+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:30.916246+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:38.475196+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:38.595013+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:42.459902+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:44.416859+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:54.513020+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:56.585523+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:59.721361+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:52:59.859622+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:00.036274+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:10.468415+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:12.056114+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:12.247538+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:12.369696+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:13.866968+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:17.319625+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:20.141823+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:23.209313+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:33.479932+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:33.671637+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:33.794486+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:33.956599+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:44.062984+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:45.617479+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:45.809283+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:45.931346+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:51.620565+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:53:52.916339+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:00.818406+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:02.572765+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:13.006113+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:14.832195+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:15.811542+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:16.086509+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:21.116093+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:21.293685+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:21.442141+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:21.612113+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:24.460459+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:26.350834+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:36.820343+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:38.318985+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:45.046141+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:48.305086+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:52.953781+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:53.267660+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:54:56.213590+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:06.418776+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:08.292084+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:08.482726+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:09.370076+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:11.991474+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:21.944479+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:23.476285+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            2024-12-06T10:55:28.005743+010028529231Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:51:53.002089+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:23.027079+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:52:53.017023+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:23.012335+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:53:53.106178+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:23.005881+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:54:53.131320+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            2024-12-06T10:55:23.012331+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.849704TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:52:59.273345+010028531931Malware Command and Control Activity Detected192.168.2.84970487.120.116.1791300TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeString decryptor: 87.120.116.179
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeString decryptor: 1300
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeString decryptor: <123456789>
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeString decryptor: DEIDARA
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeString decryptor: USB.exe
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49704 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.8:49704
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49704 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.8:49704
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49704 -> 87.120.116.179:1300
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 87.120.116.179
            Source: global trafficTCP traffic: 192.168.2.8:49704 -> 87.120.116.179:1300
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, 00000000.00000002.3877099874.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeCode function: 0_2_00007FFB4B2A74C20_2_00007FFB4B2A74C2
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeCode function: 0_2_00007FFB4B2A67160_2_00007FFB4B2A6716
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeCode function: 0_2_00007FFB4B2A2C380_2_00007FFB4B2A2C38
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, 00000000.00000000.1422145790.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDEIDARA.exe4 vs 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeBinary or memory string: OriginalFilenameDEIDARA.exe4 vs 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\JTzuMwKRwNYwE18T
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMutant created: NULL
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeCode function: 0_2_00007FFB4B2A2E0B push eax; iretd 0_2_00007FFB4B2A2E49
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeCode function: 0_2_00007FFB4B2A2DF2 pushad ; retf 0_2_00007FFB4B2A2E09
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeCode function: 0_2_00007FFB4B2A00BD pushad ; iretd 0_2_00007FFB4B2A00C1
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMemory allocated: 1AE30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeWindow / User API: threadDelayed 9794Jump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe TID: 7884Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe TID: 7888Thread sleep count: 9794 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe TID: 7888Thread sleep count: 61 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, 00000000.00000002.3878731321.000000001BE70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, 00000000.00000002.3878731321.000000001BEAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe.b00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3877099874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe PID: 7748, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe.b00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3877099874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe PID: 7748, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		221
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager232
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe100%AviraTR/Spy.Gen
            17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            87.120.116.1790%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            87.120.116.179true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe, 00000000.00000002.3877099874.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.116.179
              		unknownBulgaria
              		25206UNACS-AS-BG8000BurgasBGtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1569854
              Start date and time:2024-12-06 10:50:24 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 14s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 4
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              04:51:24API Interceptor11785102x Sleep call for process: 17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              87.120.116.17917334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                UNACS-AS-BG8000BurgasBG17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse
                • 87.120.116.179
                yIla7SeJ6r.docGet hashmaliciousXenoRATBrowse
                • 87.120.120.27
                gjot5vxpIC.exeGet hashmaliciousXenoRATBrowse
                • 87.120.120.27
                file.exeGet hashmaliciousAmadey, AsyncRAT, Stealc, VidarBrowse
                • 87.120.125.31
                po4877383.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                e824975.htmlGet hashmaliciousUnknownBrowse
                • 87.120.114.172
                qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                • 87.120.125.217
                RFQ LIST 767655776478637584637865763478634365634444444444444444453.exeGet hashmaliciousGuLoaderBrowse
                • 87.120.114.159
                New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                • 87.120.114.159

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.612471249962789
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe
                File size:36'864 bytes
                MD5:fa58afcb76508132cdd7aa5188b0dd8b
                SHA1:09318e1d9c42b50ceb31e589a235b425ff576956
                SHA256:551e1481dbb3127c56a805a38512a4767f93f3f309e2adb903120992a10f0819
                SHA512:694028248e26e2c1fb3106ec6e101bca4e0b4e886d255376b04ce136d66459560dfd246df6b8d0eb945d907caa17c02db01816b6207f5d9c4c57e74d7aebf0f9
                SSDEEP:768:4L13A5Uno9RfHWa2B71eo8icH1bxbFb9EHUOMhmQXv0:GxA5Uno9JHWXZeNicH1bBFb9EHUOMs60
                TLSH:45F24C48BBE04216D9ED6BF5A97372020674E613D917EB4E4CE489D76F27BC08D013EA
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg................................. ........@.. ....................................@................................

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0x40a5ee
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x6745C39F [Tue Nov 26 12:48:31 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xa5940x57.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x85f40x860056276a7b84359c2f0d98b3b7e64ead33False0.49906716417910446data5.74750296465965IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xc0000x4d80x6000ddefdb4552e097a6fc90a039c8b2713False0.375data3.7352408382891036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xe0000xc0x200fd3ac7fbb8a34dc91e775b7c64e87bbcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xc0a00x244data0.47413793103448276
                RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-12-06T10:51:36.195498+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:51:36.589035+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:51:36.638514+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:51:47.051103+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:51:47.053788+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:51:53.002089+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:51:53.002089+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:51:57.609124+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:51:57.610928+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:08.051686+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:08.055640+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:18.520284+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:18.522057+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:23.027079+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:23.027079+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:28.989048+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:29.020853+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:30.600532+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:30.637596+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:30.910924+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:30.916246+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:38.256288+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:38.448012+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:38.475196+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:38.595013+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:42.457811+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:42.459902+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:44.411837+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:44.416859+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:53.017023+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:53.017023+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:54.506058+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:54.513020+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:56.583496+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:56.585523+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:59.273345+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:59.666190+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:59.721361+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:52:59.857891+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:52:59.859622+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:00.034346+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:00.036274+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:10.466692+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:10.468415+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:12.053915+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:12.056114+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:12.245724+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:12.247538+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:12.367915+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:12.369696+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:13.863809+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:13.866968+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:17.316524+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:17.319625+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:20.139951+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:20.141823+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:23.012335+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:23.012335+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:23.207871+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:23.209313+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:33.476831+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:33.479932+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:33.669500+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:33.671637+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:33.794486+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:33.956599+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:44.051895+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:44.062984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:45.615267+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:45.617479+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:45.807201+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:45.809283+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:45.929533+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:45.931346+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:51.616959+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:51.620565+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:52.914390+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:52.916339+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:53:53.106178+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:53:53.106178+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:00.816727+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:00.818406+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:02.545204+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:02.572765+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:13.004043+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:13.006113+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:14.771057+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:14.832195+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:15.804497+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:15.811542+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:16.084595+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:16.086509+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:20.864423+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:21.098726+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:21.116093+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:21.290683+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:21.293685+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:21.436864+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:21.442141+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:21.524565+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:21.612113+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:23.005881+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:23.005881+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:24.458462+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:24.460459+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:26.348709+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:26.350834+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:36.817330+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:36.820343+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:38.316806+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:38.318985+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:45.040923+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:45.046141+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:48.301723+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:48.305086+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:52.939594+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:52.953781+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:53.131320+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:53.131320+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:53.265514+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:53.267660+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:54:56.208541+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:54:56.213590+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:06.416544+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:06.418776+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:08.286919+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:08.292084+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:08.478760+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:08.482726+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:09.366068+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:09.370076+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:11.989723+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:11.991474+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:21.942434+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:21.944479+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:23.012331+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:23.012331+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:23.474269+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:23.476285+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP
                2024-12-06T10:55:28.004918+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.849704TCP
                2024-12-06T10:55:28.005743+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84970487.120.116.1791300TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 6, 2024 10:51:25.414753914 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:25.534811020 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:25.534976959 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:25.730209112 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:25.850003958 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:36.195497990 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:36.315330029 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:36.589035034 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:36.638514042 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:36.758404016 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:46.658097982 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:46.777885914 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:47.051103115 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:47.053787947 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:47.173568964 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:53.002089024 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:53.048491955 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:57.216109037 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:57.335899115 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:57.609123945 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:51:57.610928059 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:51:57.730820894 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:07.658165932 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:07.777920961 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:08.051686049 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:08.055639982 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:08.175362110 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:18.126965046 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:18.247303009 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:18.520283937 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:18.522057056 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:18.642000914 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:23.027079105 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:23.079813004 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:28.595789909 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:28.715821028 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:28.989048004 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:29.020853043 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:29.140657902 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:30.205533028 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:30.325323105 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:30.517575979 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:30.600532055 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:30.637521029 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:30.637595892 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:30.757536888 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:30.910923958 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:30.916245937 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:31.036145926 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:37.861624956 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:37.981513023 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:37.981656075 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:38.101421118 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:38.256288052 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:38.336272001 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:38.448012114 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:38.475195885 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:38.594943047 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:38.595012903 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:38.714806080 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:42.064687014 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:42.184452057 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:42.457811117 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:42.459902048 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:42.579619884 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:44.017996073 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:44.139708042 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:44.411837101 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:44.416858912 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:44.536886930 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:53.017023087 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:53.067322016 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:54.112422943 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:54.232141018 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:54.506057978 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:54.513020039 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:54.632832050 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:56.189919949 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:56.309763908 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:56.583496094 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:56.585522890 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:56.705328941 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.273344994 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:59.393155098 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.393441916 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:59.513154030 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.597364902 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:59.666189909 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.717189074 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.721360922 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:52:59.842221022 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.857891083 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:52:59.859622002 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:00.020468950 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:00.034346104 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:00.036273956 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:00.156161070 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:10.064754963 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:10.184437037 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:10.466691971 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:10.468415022 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:10.588185072 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:11.661604881 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:11.781407118 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:11.814749956 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:11.934604883 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:11.934652090 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:12.053915024 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:12.054296017 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:12.056113958 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:12.176062107 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:12.245723963 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:12.247538090 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:12.367389917 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:12.367914915 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:12.369695902 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:12.536572933 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:13.470972061 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:13.590831041 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:13.863809109 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:13.866967916 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:13.986706972 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:16.924153090 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:17.043899059 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:17.316524029 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:17.319624901 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:17.439362049 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:19.737469912 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:19.857297897 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:20.139950991 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:20.141823053 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:20.264058113 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:22.815371037 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:22.935198069 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:23.012335062 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:23.173902988 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:23.207870960 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:23.209312916 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:23.329179049 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.080667019 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:33.202951908 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.203012943 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:33.326252937 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.476830959 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.479932070 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:33.599754095 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.669500113 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.671637058 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:33.791441917 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.792303085 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.794486046 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:33.956480026 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:33.956598997 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:34.076440096 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:43.658607006 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:43.778439999 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:44.051894903 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:44.062983990 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:44.183296919 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.221330881 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:45.341169119 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.341219902 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:45.460954905 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.615267038 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.617479086 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:45.737435102 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.807200909 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.809283018 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:45.929131031 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.929533005 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:45.931345940 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:46.092578888 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:51.205872059 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:51.325728893 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:51.616959095 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:51.620564938 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:51.740303040 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:52.521641970 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:52.641514063 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:52.914390087 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:52.916338921 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:53:53.036153078 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:53.106178045 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:53:53.158421993 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:00.424470901 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:00.544176102 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:00.816726923 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:00.818406105 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:00.938213110 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:02.152252913 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:02.272162914 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:02.545203924 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:02.572765112 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:02.692536116 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:12.612042904 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:12.731812954 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:13.004043102 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:13.006113052 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:13.125926018 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:14.377661943 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:14.497426033 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:14.771056890 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:14.832195044 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:14.951961994 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:15.412081957 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:15.531920910 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:15.691806078 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:15.804497004 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:15.811480999 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:15.811542034 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:15.931482077 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:16.084594965 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:16.086508989 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:16.207295895 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:20.471470118 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:20.591238022 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:20.705996990 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:20.825911045 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:20.830723047 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:20.864423037 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:20.955678940 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:20.992527008 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:20.995966911 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:21.098726034 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.115988970 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.116092920 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:21.235984087 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.290683031 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.293684959 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:21.413573980 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.436863899 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.442141056 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:21.524564981 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.608967066 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:21.612112999 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:21.731986046 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:23.005881071 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:23.158632040 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:24.065169096 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:24.185395002 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:24.458462000 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:24.460458994 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:24.580172062 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:25.955687046 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:26.075551033 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:26.348709106 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:26.350833893 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:26.470566988 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:36.424837112 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:36.544800043 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:36.817329884 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:36.820343018 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:36.940226078 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:37.924709082 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:38.044709921 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:38.316806078 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:38.318984985 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:38.438735962 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:44.643381119 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:44.763484001 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:45.040923119 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:45.046140909 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:45.165848017 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:47.909224033 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:48.028892040 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:48.301723003 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:48.305085897 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:48.425580978 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:52.521961927 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:52.641783953 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:52.833957911 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:52.939594030 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:52.953707933 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:52.953780890 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:53.073420048 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:53.131320000 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:53.174413919 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:53.265513897 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:53.267659903 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:53.387516975 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:55.815598011 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:55.935286045 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:56.208540916 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:54:56.213589907 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:54:56.333334923 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:06.022047043 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:06.141766071 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:06.416543961 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:06.418776035 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:06.538706064 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:07.893856049 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:08.013576984 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:08.014116049 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:08.133912086 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:08.286919117 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:08.292083979 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:08.411767006 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:08.478760004 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:08.482726097 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:08.602436066 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:08.972184896 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:09.092015028 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:09.366067886 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:09.370075941 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:09.490508080 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:11.596973896 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:11.716797113 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:11.989722967 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:11.991473913 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:12.111188889 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:21.550057888 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:21.669897079 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:21.942434072 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:21.944478989 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:22.064249992 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:23.012331009 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:23.065185070 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:23.081188917 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:23.200851917 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:23.474268913 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:23.476284981 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:23.596092939 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:27.612418890 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:27.732264996 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:28.004918098 CET13004970487.120.116.179192.168.2.8
                Dec 6, 2024 10:55:28.005743027 CET497041300192.168.2.887.120.116.179
                Dec 6, 2024 10:55:28.125844002 CET13004970487.120.116.179192.168.2.8

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:04:51:20
                Start date:06/12/2024
                Path:C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe"
                Imagebase:0xb00000
                File size:36'864 bytes
                MD5 hash:FA58AFCB76508132CDD7AA5188B0DD8B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1422131008.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3877099874.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:20%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  execution_graph 4892 7ffb4b2a1bf8 4893 7ffb4b2a1c01 SetWindowsHookExW 4892->4893 4895 7ffb4b2a1cd1 4893->4895

                  Executed Functions

                  Function 00007FFB4B2A2C38 Relevance: 2.4, Strings: 1, Instructions: 1140COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 7ffb4b2a2c38-7ffb4b2aa693 2 7ffb4b2aa695-7ffb4b2aa6a0 call 7ffb4b2a05c0 0->2 3 7ffb4b2aa6dd-7ffb4b2aa6f0 0->3 7 7ffb4b2aa6a5-7ffb4b2aa6da 2->7 5 7ffb4b2aa766 3->5 6 7ffb4b2aa6f2-7ffb4b2aa70f 3->6 9 7ffb4b2aa76b-7ffb4b2aa780 5->9 6->9 10 7ffb4b2aa711-7ffb4b2aa761 call 7ffb4b2a9360 6->10 7->3 15 7ffb4b2aa799-7ffb4b2aa7ae 9->15 16 7ffb4b2aa782-7ffb4b2aa794 call 7ffb4b2a05d0 9->16 34 7ffb4b2ab339-7ffb4b2ab347 10->34 22 7ffb4b2aa7e1-7ffb4b2aa7f6 15->22 23 7ffb4b2aa7b0-7ffb4b2aa7dc 15->23 16->34 29 7ffb4b2aa809-7ffb4b2aa81e 22->29 30 7ffb4b2aa7f8-7ffb4b2aa804 call 7ffb4b2a8340 22->30 23->34 38 7ffb4b2aa864-7ffb4b2aa879 29->38 39 7ffb4b2aa820-7ffb4b2aa823 29->39 30->34 44 7ffb4b2aa8ba-7ffb4b2aa8cf 38->44 45 7ffb4b2aa87b-7ffb4b2aa87e 38->45 39->5 41 7ffb4b2aa829-7ffb4b2aa834 39->41 41->5 43 7ffb4b2aa83a-7ffb4b2aa85f call 7ffb4b2a05a8 call 7ffb4b2a8340 41->43 43->34 51 7ffb4b2aa8fc-7ffb4b2aa911 44->51 52 7ffb4b2aa8d1-7ffb4b2aa8d4 44->52 45->5 46 7ffb4b2aa884-7ffb4b2aa88f 45->46 46->5 49 7ffb4b2aa895-7ffb4b2aa8b5 call 7ffb4b2a05a8 call 7ffb4b2a2c88 46->49 49->34 62 7ffb4b2aa917-7ffb4b2aa977 call 7ffb4b2a0530 51->62 63 7ffb4b2aa9fd-7ffb4b2aaa12 51->63 52->5 55 7ffb4b2aa8da-7ffb4b2aa8f7 call 7ffb4b2a05a8 call 7ffb4b2a2c90 52->55 55->34 62->5 102 7ffb4b2aa97d-7ffb4b2aa9b5 call 7ffb4b2a8350 62->102 70 7ffb4b2aaa14-7ffb4b2aaa17 63->70 71 7ffb4b2aaa31-7ffb4b2aaa46 63->71 70->5 74 7ffb4b2aaa1d-7ffb4b2aaa27 call 7ffb4b2a2c68 70->74 80 7ffb4b2aaa68-7ffb4b2aaa7d 71->80 81 7ffb4b2aaa48-7ffb4b2aaa4b 71->81 79 7ffb4b2aaa29-7ffb4b2aaa2c 74->79 79->34 88 7ffb4b2aaa9d-7ffb4b2aaab2 80->88 89 7ffb4b2aaa7f-7ffb4b2aaa98 80->89 81->5 83 7ffb4b2aaa51-7ffb4b2aaa63 call 7ffb4b2a2c68 81->83 83->34 93 7ffb4b2aaab4-7ffb4b2aaacd 88->93 94 7ffb4b2aaad2-7ffb4b2aaae7 88->94 89->34 93->34 99 7ffb4b2aaae9-7ffb4b2aab02 94->99 100 7ffb4b2aab07-7ffb4b2aab1c 94->100 99->34 105 7ffb4b2aab45-7ffb4b2aab5a 100->105 106 7ffb4b2aab1e-7ffb4b2aab21 100->106 102->5 119 7ffb4b2aa9bb-7ffb4b2aa9da call 7ffb4b2a8360 102->119 113 7ffb4b2aabfa-7ffb4b2aac0f 105->113 114 7ffb4b2aab60-7ffb4b2aabd8 105->114 106->5 108 7ffb4b2aab27-7ffb4b2aab40 106->108 108->34 120 7ffb4b2aac27-7ffb4b2aac3c 113->120 121 7ffb4b2aac11-7ffb4b2aac22 113->121 114->5 145 7ffb4b2aabde-7ffb4b2aabf5 114->145 119->79 132 7ffb4b2aa9dc-7ffb4b2aa9f8 119->132 130 7ffb4b2aacdc-7ffb4b2aacf1 120->130 131 7ffb4b2aac42-7ffb4b2aac5d 120->131 121->34 138 7ffb4b2aacf3-7ffb4b2aad04 130->138 139 7ffb4b2aad09-7ffb4b2aad1e 130->139 132->34 138->34 146 7ffb4b2aad5f-7ffb4b2aad74 139->146 147 7ffb4b2aad20-7ffb4b2aad5a call 7ffb4b2a0ec0 call 7ffb4b2a9360 139->147 145->34 151 7ffb4b2aad7a-7ffb4b2aae16 call 7ffb4b2a0ec0 call 7ffb4b2a9360 146->151 152 7ffb4b2aae1b-7ffb4b2aae30 146->152 147->34 151->34 158 7ffb4b2aae36-7ffb4b2aae39 152->158 159 7ffb4b2aaebe-7ffb4b2aaed3 152->159 160 7ffb4b2aaeb3-7ffb4b2aaeb8 158->160 161 7ffb4b2aae3b-7ffb4b2aae46 158->161 166 7ffb4b2aaed5-7ffb4b2aaee2 call 7ffb4b2a9360 159->166 167 7ffb4b2aaee7-7ffb4b2aaefc 159->167 175 7ffb4b2aaeb9 160->175 161->160 164 7ffb4b2aae48-7ffb4b2aaeb1 call 7ffb4b2a0ec0 call 7ffb4b2a9360 161->164 164->175 166->34 179 7ffb4b2aaf3d-7ffb4b2aaf52 167->179 180 7ffb4b2aaefe-7ffb4b2aaf38 call 7ffb4b2a0ec0 call 7ffb4b2a9360 167->180 175->34 187 7ffb4b2aaf58-7ffb4b2aaf69 179->187 188 7ffb4b2aafdd-7ffb4b2aaff2 179->188 180->34 187->5 197 7ffb4b2aaf6f-7ffb4b2aaf7f call 7ffb4b2a05a0 187->197 199 7ffb4b2aaff4-7ffb4b2aaff7 188->199 200 7ffb4b2ab032-7ffb4b2ab047 188->200 209 7ffb4b2aafbb-7ffb4b2aafd8 call 7ffb4b2a05a0 call 7ffb4b2a05a8 call 7ffb4b2a2c40 197->209 210 7ffb4b2aaf81-7ffb4b2aafb6 call 7ffb4b2a9360 197->210 199->5 203 7ffb4b2aaffd-7ffb4b2ab02d call 7ffb4b2a0598 call 7ffb4b2a05a8 call 7ffb4b2a2c40 199->203 211 7ffb4b2ab049-7ffb4b2ab088 call 7ffb4b2a9020 call 7ffb4b2a7f20 call 7ffb4b2a2c48 200->211 212 7ffb4b2ab08d-7ffb4b2ab0a2 200->212 203->34 209->34 210->34 211->34 229 7ffb4b2ab0a4-7ffb4b2ab107 call 7ffb4b2a0ec0 call 7ffb4b2a9360 212->229 230 7ffb4b2ab10c-7ffb4b2ab121 212->230 229->34 230->34 249 7ffb4b2ab127-7ffb4b2ab241 call 7ffb4b2a8370 call 7ffb4b2a8380 call 7ffb4b2a8390 call 7ffb4b2a83a0 call 7ffb4b2a20b0 call 7ffb4b2a83b0 call 7ffb4b2a8380 call 7ffb4b2a8390 230->249 285 7ffb4b2ab243-7ffb4b2ab247 249->285 286 7ffb4b2ab2b2-7ffb4b2ab2c7 call 7ffb4b2a0ec0 249->286 288 7ffb4b2ab249-7ffb4b2ab29a call 7ffb4b2a83c0 call 7ffb4b2a83d0 285->288 289 7ffb4b2ab2c8-7ffb4b2ab338 call 7ffb4b2a05b0 call 7ffb4b2a9360 285->289 286->289 301 7ffb4b2ab29f-7ffb4b2ab2a8 288->301 289->34 301->286
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3879391505.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4b2a0000_17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: e36f3fbacafb7d9643e880e7252f43de0d28aaefeb74c11d58a3cb0f902954b5
                  • Instruction ID: 3ac604153557f1ee80f8d113f2a951db68865348a1d5940968b3c2062d52f784
                  • Opcode Fuzzy Hash: e36f3fbacafb7d9643e880e7252f43de0d28aaefeb74c11d58a3cb0f902954b5
                  • Instruction Fuzzy Hash: BA725EB0B1C90A8FEB94FB38C55967A77D2EF9D311B508579D50EC32D2DE28AC428781
                  Function 00007FFB4B2A6716 Relevance: .5, Instructions: 465COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 391 7ffb4b2a6716-7ffb4b2a6723 392 7ffb4b2a6725-7ffb4b2a672d 391->392 393 7ffb4b2a672e-7ffb4b2a67f7 391->393 392->393 398 7ffb4b2a6863 393->398 399 7ffb4b2a67f9-7ffb4b2a6802 393->399 401 7ffb4b2a6865-7ffb4b2a688a 398->401 399->398 400 7ffb4b2a6804-7ffb4b2a6810 399->400 402 7ffb4b2a6849-7ffb4b2a6861 400->402 403 7ffb4b2a6812-7ffb4b2a6824 400->403 408 7ffb4b2a68f6 401->408 409 7ffb4b2a688c-7ffb4b2a6895 401->409 402->401 404 7ffb4b2a6826 403->404 405 7ffb4b2a6828-7ffb4b2a683b 403->405 404->405 405->405 407 7ffb4b2a683d-7ffb4b2a6845 405->407 407->402 410 7ffb4b2a68f8-7ffb4b2a69a0 408->410 409->408 411 7ffb4b2a6897-7ffb4b2a68a3 409->411 422 7ffb4b2a6a0e 410->422 423 7ffb4b2a69a2-7ffb4b2a69ac 410->423 412 7ffb4b2a68a5-7ffb4b2a68b7 411->412 413 7ffb4b2a68dc-7ffb4b2a68f4 411->413 415 7ffb4b2a68b9 412->415 416 7ffb4b2a68bb-7ffb4b2a68ce 412->416 413->410 415->416 416->416 417 7ffb4b2a68d0-7ffb4b2a68d8 416->417 417->413 424 7ffb4b2a6a10-7ffb4b2a6a39 422->424 423->422 425 7ffb4b2a69ae-7ffb4b2a69bb 423->425 432 7ffb4b2a6aa3 424->432 433 7ffb4b2a6a3b-7ffb4b2a6a46 424->433 426 7ffb4b2a69f4-7ffb4b2a6a0c 425->426 427 7ffb4b2a69bd-7ffb4b2a69cf 425->427 426->424 429 7ffb4b2a69d3-7ffb4b2a69e6 427->429 430 7ffb4b2a69d1 427->430 429->429 431 7ffb4b2a69e8-7ffb4b2a69f0 429->431 430->429 431->426 435 7ffb4b2a6aa5-7ffb4b2a6b36 432->435 433->432 434 7ffb4b2a6a48-7ffb4b2a6a56 433->434 436 7ffb4b2a6a58-7ffb4b2a6a6a 434->436 437 7ffb4b2a6a8f-7ffb4b2a6aa1 434->437 443 7ffb4b2a6b3c-7ffb4b2a6b4b 435->443 439 7ffb4b2a6a6c 436->439 440 7ffb4b2a6a6e-7ffb4b2a6a81 436->440 437->435 439->440 440->440 441 7ffb4b2a6a83-7ffb4b2a6a8b 440->441 441->437 444 7ffb4b2a6b53-7ffb4b2a6bb8 call 7ffb4b2a6bd4 443->444 445 7ffb4b2a6b4d 443->445 453 7ffb4b2a6bba 444->453 454 7ffb4b2a6bbf-7ffb4b2a6bd3 444->454 445->444 453->454
                  Memory Dump Source
                  • Source File: 00000000.00000002.3879391505.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4b2a0000_17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8146dfae5b2532f5c3c720d1b3e7333945728e57736db9fdda094500dd883dc
                  • Instruction ID: 2b5e9b0dfc98ea2f853ee06410da141a6ee9bb4ce24baf9a5792ba471f4d4a24
                  • Opcode Fuzzy Hash: b8146dfae5b2532f5c3c720d1b3e7333945728e57736db9fdda094500dd883dc
                  • Instruction Fuzzy Hash: 21F1A67050CA8D8FEBA9EF28C8557E97BD1FF58311F04826AE84DC7291DF3899458B81
                  Function 00007FFB4B2A74C2 Relevance: .5, Instructions: 451COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 455 7ffb4b2a74c2-7ffb4b2a74cf 456 7ffb4b2a74da-7ffb4b2a75a7 455->456 457 7ffb4b2a74d1-7ffb4b2a74d9 455->457 462 7ffb4b2a7613 456->462 463 7ffb4b2a75a9-7ffb4b2a75b2 456->463 457->456 465 7ffb4b2a7615-7ffb4b2a763a 462->465 463->462 464 7ffb4b2a75b4-7ffb4b2a75c0 463->464 466 7ffb4b2a75f9-7ffb4b2a7611 464->466 467 7ffb4b2a75c2-7ffb4b2a75d4 464->467 471 7ffb4b2a76a6 465->471 472 7ffb4b2a763c-7ffb4b2a7645 465->472 466->465 469 7ffb4b2a75d6 467->469 470 7ffb4b2a75d8-7ffb4b2a75eb 467->470 469->470 470->470 473 7ffb4b2a75ed-7ffb4b2a75f5 470->473 475 7ffb4b2a76a8-7ffb4b2a76cd 471->475 472->471 474 7ffb4b2a7647-7ffb4b2a7653 472->474 473->466 476 7ffb4b2a7655-7ffb4b2a7667 474->476 477 7ffb4b2a768c-7ffb4b2a76a4 474->477 482 7ffb4b2a773b 475->482 483 7ffb4b2a76cf-7ffb4b2a76d9 475->483 478 7ffb4b2a7669 476->478 479 7ffb4b2a766b-7ffb4b2a767e 476->479 477->475 478->479 479->479 481 7ffb4b2a7680-7ffb4b2a7688 479->481 481->477 484 7ffb4b2a773d-7ffb4b2a776b 482->484 483->482 485 7ffb4b2a76db-7ffb4b2a76e8 483->485 492 7ffb4b2a77db 484->492 493 7ffb4b2a776d-7ffb4b2a7778 484->493 486 7ffb4b2a76ea-7ffb4b2a76fc 485->486 487 7ffb4b2a7721-7ffb4b2a7739 485->487 489 7ffb4b2a76fe 486->489 490 7ffb4b2a7700-7ffb4b2a7713 486->490 487->484 489->490 490->490 491 7ffb4b2a7715-7ffb4b2a771d 490->491 491->487 495 7ffb4b2a77dd-7ffb4b2a78b5 492->495 493->492 494 7ffb4b2a777a-7ffb4b2a7788 493->494 496 7ffb4b2a778a-7ffb4b2a779c 494->496 497 7ffb4b2a77c1-7ffb4b2a77d9 494->497 505 7ffb4b2a78bb-7ffb4b2a78ca 495->505 499 7ffb4b2a779e 496->499 500 7ffb4b2a77a0-7ffb4b2a77b3 496->500 497->495 499->500 500->500 502 7ffb4b2a77b5-7ffb4b2a77bd 500->502 502->497 506 7ffb4b2a78cc 505->506 507 7ffb4b2a78d2-7ffb4b2a7934 call 7ffb4b2a7950 505->507 506->507 515 7ffb4b2a7936 507->515 516 7ffb4b2a793b-7ffb4b2a794f 507->516 515->516
                  Memory Dump Source
                  • Source File: 00000000.00000002.3879391505.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4b2a0000_17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a184fde661039cc708e83fb5e385dd482e6b8c4f3ca2d245660f491e601ed266
                  • Instruction ID: 99e7501b22e87f807a52ac28f3fa920c1dab7d120a22247044d58fc39537fb0b
                  • Opcode Fuzzy Hash: a184fde661039cc708e83fb5e385dd482e6b8c4f3ca2d245660f491e601ed266
                  • Instruction Fuzzy Hash: CFE1C57050CA4D8FEBA9EF28C8557E97BD1FF58310F14826AD84DC72A1CF78A9418781
                  Function 00007FFB4B2A1BF8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 312 7ffb4b2a1bf8-7ffb4b2a1bff 313 7ffb4b2a1c0a-7ffb4b2a1c7d 312->313 314 7ffb4b2a1c01-7ffb4b2a1c09 312->314 318 7ffb4b2a1c83-7ffb4b2a1c88 313->318 319 7ffb4b2a1d09-7ffb4b2a1d0d 313->319 314->313 321 7ffb4b2a1c8f-7ffb4b2a1c90 318->321 320 7ffb4b2a1c92-7ffb4b2a1ccf SetWindowsHookExW 319->320 322 7ffb4b2a1cd7-7ffb4b2a1d08 320->322 323 7ffb4b2a1cd1 320->323 321->320 323->322
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.3879391505.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffb4b2a0000_17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: ec32107b52de6b3468e148b7f5b9dd3df432a248c35f0654c7dbbf35ce257659
                  • Instruction ID: d3d41d0b210492a7b37e861ef3271bca4349cbed4f93f4d8a730f06fed2491ee
                  • Opcode Fuzzy Hash: ec32107b52de6b3468e148b7f5b9dd3df432a248c35f0654c7dbbf35ce257659
                  • Instruction Fuzzy Hash: 9641167090CA5C8FDB19EF68D8466F9BBE1EF5A321F00427ED049D3292CA64A852C781