Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe

Overview

General Information

Sample name:1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe
Analysis ID:1569856
MD5:3b418fcbdd3c8e5b79ae86050618b81d
SHA1:9d0400d7d4a46e7230dd3dc99a71daffc53a63c5
SHA256:40c2d745989be5157f4d5f241251e1a9954e7377613b587fa82d530b149b34b1
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7ad5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7bea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76e6:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7838:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74e6:$cnc4: POST / HTTP/1.1
      00000000.00000002.3686976828.0000000002C91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe PID: 7572JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe.8f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe.8f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7a38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7ad5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7bea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76e6:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:52:06.002954+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:16.778441+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:23.027095+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:27.567317+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:38.342233+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:49.126388+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:53.017195+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:57.639653+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:57.801351+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:57.921319+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:58.306177+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:05.809388+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:08.693489+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:13.591029+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:13.782911+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:13.905454+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:18.716075+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:18.948431+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:20.746450+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:23.012394+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:23.762556+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:23.924998+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:28.750892+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:30.609207+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:31.763494+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:32.888725+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:34.262811+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:34.454784+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:44.887409+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:45.079370+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:45.271124+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:49.279664+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:52.998498+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:55.684383+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:55.876208+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:56.389277+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:58.840908+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:00.779183+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:04.529203+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:05.794343+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:05.958461+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:06.078235+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:06.240532+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:07.122548+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:10.920296+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:11.184397+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:11.376410+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:12.990964+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:14.013417+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:16.342457+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:16.505072+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:16.984613+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:17.104507+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:22.124513+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:23.005897+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:23.658723+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:23.850907+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:24.519619+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:28.221620+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:28.760552+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:32.649590+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:32.839444+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:35.594594+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:38.022256+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:38.214607+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:38.335754+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:41.754668+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:48.315321+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:48.473149+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:50.439572+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:53.035658+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:58.926838+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:04.044955+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:04.178003+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:04.297954+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:08.818148+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:10.195768+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:14.731719+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:14.923713+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:15.045782+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:15.237401+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:17.868212+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:19.643257+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:19.891435+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:20.022991+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:20.337860+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:23.012613+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:25.138915+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:25.717522+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:27.423800+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:30.779175+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:32.300740+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:33.856874+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:35.873755+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:36.056077+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:36.191030+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:38.716717+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:46.184847+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:46.376650+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:47.501331+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:47.846222+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:50.170508+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:51.138442+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:53.035494+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:52:06.055024+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:16.780411+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:27.569032+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:38.344546+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:49.147451+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:57.921391+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:58.072299+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:52:58.424647+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:05.811383+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:08.700681+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:08.895596+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:13.593306+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:13.789182+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:13.909269+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:18.717507+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:18.951579+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:20.748544+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:24.019999+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:28.753510+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:30.615761+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:31.765570+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:32.894837+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:34.267587+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:34.456398+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:34.585553+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:44.962122+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:45.083732+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:45.273261+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:49.283012+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:55.686369+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:55.877932+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:56.391216+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:53:58.843235+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:00.783683+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:04.530906+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:05.928564+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:06.048596+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:06.208805+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:06.329837+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:07.127400+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:11.081864+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:11.201886+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:11.378092+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:13.037973+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:14.015697+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:17.049952+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:17.173922+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:22.126219+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:23.660874+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:23.854546+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:24.524045+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:28.223862+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:28.767975+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:32.651849+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:32.841253+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:35.596236+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:38.023978+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:38.225271+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:38.345178+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:41.756095+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:48.317788+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:48.479376+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:48.635266+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:50.444472+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:54:58.931930+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:04.106569+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:04.226422+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:04.346389+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:04.493041+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:08.824173+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:10.216774+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:14.733615+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:14.926085+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:15.048109+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:15.238976+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:17.870499+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:19.707571+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:19.893542+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:20.025183+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:20.207588+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:20.500231+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:25.196464+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:25.719587+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:25.912210+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:26.032649+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:27.426139+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:30.781523+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:32.305070+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:33.859411+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:35.879078+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:36.058058+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:36.202774+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:38.719818+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:46.188047+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:46.378739+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:47.576227+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:47.959549+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:50.172406+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            2024-12-06T10:55:51.142269+010028529231Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:52:23.027095+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:52:53.017195+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:23.012394+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:53:52.998498+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:23.005897+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:54:53.035658+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:23.012613+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            2024-12-06T10:55:53.035494+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.1049705TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T10:53:18.446189+010028531931Malware Command and Control Activity Detected192.168.2.104970587.120.116.1791300TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeString decryptor: 87.120.116.179
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeString decryptor: 1300
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeString decryptor: <123456789>
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeString decryptor: 05-12-24
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeString decryptor: USB.exe
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49705 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.10:49705
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.10:49705 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.10:49705
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49705 -> 87.120.116.179:1300
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 87.120.116.179
            Source: global trafficTCP traffic: 192.168.2.10:49705 -> 87.120.116.179:1300
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, 00000000.00000002.3686976828.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeCode function: 0_2_00007FF7C13268F60_2_00007FF7C13268F6
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeCode function: 0_2_00007FF7C13276A20_2_00007FF7C13276A2
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeCode function: 0_2_00007FF7C132A6A40_2_00007FF7C132A6A4
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, 00000000.00000000.1248950623.00000000008FC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerwalidad.exe4 vs 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeBinary or memory string: OriginalFilenamerwalidad.exe4 vs 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\3K4hxUJ98OMO2ygA
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMemory allocated: 1AC90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeWindow / User API: threadDelayed 9627Jump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe TID: 8116Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe TID: 8120Thread sleep count: 9627 > 30Jump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe TID: 8120Thread sleep count: 230 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, 00000000.00000002.3688423444.000000001BC20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSy
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe.8f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3686976828.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe PID: 7572, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe.8f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3686976828.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe PID: 7572, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		211
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager232
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe84%ReversingLabsWin32.Trojan.Xworm
            1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe100%AviraTR/Spy.Gen
            1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            87.120.116.1790%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            87.120.116.179true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe, 00000000.00000002.3686976828.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.116.179
              		unknownBulgaria
              		25206UNACS-AS-BG8000BurgasBGtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1569856
              Start date and time:2024-12-06 10:50:57 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 5s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:12
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 4
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • VT rate limit hit for: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              04:51:58API Interceptor13046595x Sleep call for process: 1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              87.120.116.17917334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                UNACS-AS-BG8000BurgasBG17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse
                • 87.120.116.179
                yIla7SeJ6r.docGet hashmaliciousXenoRATBrowse
                • 87.120.120.27
                gjot5vxpIC.exeGet hashmaliciousXenoRATBrowse
                • 87.120.120.27
                file.exeGet hashmaliciousAmadey, AsyncRAT, Stealc, VidarBrowse
                • 87.120.125.31
                po4877383.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                e824975.htmlGet hashmaliciousUnknownBrowse
                • 87.120.114.172
                qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                • 87.120.125.217
                RFQ LIST 767655776478637584637865763478634365634444444444444444453.exeGet hashmaliciousGuLoaderBrowse
                • 87.120.114.159
                New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                • 87.120.114.159

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.6123779876088244
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe
                File size:36'864 bytes
                MD5:3b418fcbdd3c8e5b79ae86050618b81d
                SHA1:9d0400d7d4a46e7230dd3dc99a71daffc53a63c5
                SHA256:40c2d745989be5157f4d5f241251e1a9954e7377613b587fa82d530b149b34b1
                SHA512:35cd3f4f4e39632c5edbc1b8bdb09b694b758a8652044b9e7a3ae525966ef0c1b01e11f3e8ddc2265f70ef7bcfa6df69f2b207d7cf08f4f580acfc93d17ffd26
                SSDEEP:768:GL13A5Uno9RfHWa2BLyeo8icH1bxbFb9ExOMhTQXv2:AxA5Uno9JHWX+eNicH1bBFb9ExOM562
                TLSH:62F24C48BB904216D9ED6BF5A97372020674E613DD17EB4E4CD48ADB6F23BC08D013EA
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.Qg................................. ........@.. ....................................@................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x40a5ee
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x67519B71 [Thu Dec 5 12:24:17 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xa5980x53.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4e0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x85f40x8600ab1c38b62583dbb99759221e841a8b1cFalse0.49903801305970147data5.747698558102092IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xc0000x4e00x600785720fcd290cca76b98e07cde1da14aFalse0.376953125data3.723002299043814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xe0000xc0x200fd3ac7fbb8a34dc91e775b7c64e87bbcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xc0a00x24cdata0.47278911564625853
                RT_MANIFEST0xc2f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-12-06T10:52:05.613158+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:06.002954+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:06.055024+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:16.778441+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:16.780411+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:23.027095+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:23.027095+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:27.567317+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:27.569032+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:38.342233+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:38.344546+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:49.126388+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:49.147451+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:53.017195+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:53.017195+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:57.639653+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:57.801351+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:57.921319+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:57.921391+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:58.072299+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:52:58.306177+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:52:58.424647+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:05.809388+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:05.811383+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:08.693489+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:08.700681+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:08.895596+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:13.591029+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:13.593306+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:13.782911+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:13.789182+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:13.905454+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:13.909269+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:18.446189+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:18.716075+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:18.717507+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:18.948431+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:18.951579+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:20.746450+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:20.748544+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:23.012394+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:23.012394+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:23.762556+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:23.924998+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:24.019999+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:28.750892+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:28.753510+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:30.609207+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:30.615761+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:31.763494+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:31.765570+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:32.888725+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:32.894837+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:34.262811+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:34.267587+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:34.454784+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:34.456398+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:34.585553+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:44.887409+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:44.962122+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:45.079370+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:45.083732+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:45.271124+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:45.273261+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:49.279664+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:49.283012+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:52.998498+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:52.998498+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:55.684383+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:55.686369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:55.876208+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:55.877932+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:56.389277+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:56.391216+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:53:58.840908+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:53:58.843235+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:00.779183+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:00.783683+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:04.529203+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:04.530906+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:05.794343+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:05.928564+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:05.958461+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:06.048596+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:06.078235+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:06.208805+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:06.240532+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:06.329837+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:07.122548+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:07.127400+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:10.920296+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:11.081864+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:11.184397+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:11.201886+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:11.376410+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:11.378092+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:12.990964+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:13.037973+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:14.013417+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:14.015697+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:16.342457+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:16.505072+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:16.984613+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:17.049952+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:17.104507+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:17.173922+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:22.124513+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:22.126219+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:23.005897+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:23.005897+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:23.658723+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:23.660874+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:23.850907+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:23.854546+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:24.519619+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:24.524045+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:28.221620+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:28.223862+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:28.760552+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:28.767975+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:32.649590+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:32.651849+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:32.839444+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:32.841253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:35.594594+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:35.596236+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:38.022256+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:38.023978+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:38.214607+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:38.225271+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:38.335754+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:38.345178+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:41.754668+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:41.756095+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:48.315321+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:48.317788+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:48.473149+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:48.479376+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:48.635266+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:50.439572+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:50.444472+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:54:53.035658+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:53.035658+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:58.926838+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:54:58.931930+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:04.044955+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:04.106569+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:04.178003+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:04.226422+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:04.297954+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:04.346389+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:04.493041+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:08.818148+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:08.824173+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:10.195768+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:10.216774+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:14.731719+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:14.733615+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:14.923713+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:14.926085+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:15.045782+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:15.048109+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:15.237401+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:15.238976+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:17.868212+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:17.870499+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:19.643257+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:19.707571+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:19.891435+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:19.893542+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:20.022991+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:20.025183+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:20.207588+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:20.337860+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:20.500231+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:23.012613+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:23.012613+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:25.138915+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:25.196464+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:25.717522+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:25.719587+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:25.912210+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:26.032649+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:27.423800+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:27.426139+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:30.779175+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:30.781523+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:32.300740+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:32.305070+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:33.856874+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:33.859411+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:35.873755+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:35.879078+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:36.056077+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:36.058058+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:36.191030+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:36.202774+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:38.716717+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:38.719818+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:46.184847+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:46.188047+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:46.376650+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:46.378739+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:47.501331+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:47.576227+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:47.846222+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:47.959549+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:50.170508+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:50.172406+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:51.138442+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:51.142269+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104970587.120.116.1791300TCP
                2024-12-06T10:55:53.035494+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.1049705TCP
                2024-12-06T10:55:53.035494+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.1049705TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 6, 2024 10:51:54.536694050 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:51:54.656902075 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:51:54.657013893 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:51:54.833296061 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:51:54.953048944 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:05.613157988 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:05.733679056 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:06.002954006 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:06.044341087 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:06.055023909 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:06.174823999 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:16.388906956 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:16.508734941 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:16.778440952 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:16.780411005 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:16.900243998 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:23.027095079 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:23.075714111 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:27.169816971 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:27.290487051 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:27.567317009 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:27.569031954 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:27.688992977 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:37.951292038 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:38.071913958 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:38.342232943 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:38.344546080 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:38.464370966 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:48.732750893 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:48.853998899 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:49.126388073 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:49.147450924 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:49.267404079 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:53.017194986 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:53.060285091 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.249763012 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.369520903 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.369580030 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.489372969 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.489437103 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.609230042 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.609304905 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.639652967 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.639739037 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.760195017 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.760258913 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.801351070 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.841528893 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:57.921319008 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:57.921391010 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:58.072211981 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.072299004 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:58.113143921 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.113229990 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:58.233089924 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.233396053 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.235488892 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:58.306176901 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.307543039 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:58.424527884 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.424647093 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:52:58.427501917 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:52:58.544528961 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:05.420005083 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:05.539882898 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:05.809387922 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:05.811383009 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:05.931067944 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:07.826394081 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:07.946290970 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:07.946387053 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:08.066308022 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:08.066375971 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:08.186070919 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:08.693489075 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:08.700680971 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:08.820468903 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:08.885353088 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:08.895596027 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:09.015389919 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:09.015614033 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:09.135427952 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.201308012 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:13.321022034 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.321078062 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:13.441095114 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.591028929 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.593306065 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:13.713078022 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.782911062 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.789181948 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:13.905453920 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.909209013 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:13.909269094 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:14.029563904 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:18.326224089 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:18.445904970 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:18.446188927 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:18.566000938 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:18.716074944 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:18.717506886 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:18.838738918 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:18.948431015 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:18.951579094 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:19.072505951 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:20.357606888 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:20.477365971 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:20.746449947 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:20.748543978 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:20.869071007 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.012393951 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.060487986 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.373251915 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.493096113 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.493168116 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.612987995 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.613045931 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.732786894 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.732856989 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.762556076 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.810417891 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.896569014 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.896625042 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:23.924998045 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:23.966677904 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.019943953 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.019999027 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.045082092 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.091665030 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.180536985 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.180592060 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.212059975 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.263613939 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.300446987 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.309489012 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.331789017 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.389484882 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.403975010 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.409487963 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.472682953 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.473579884 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:24.529289961 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:24.593380928 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:28.361509085 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:28.482848883 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:28.750891924 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:28.753509998 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:28.873384953 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:30.217037916 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:30.336967945 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:30.609206915 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:30.615761042 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:30.735577106 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:31.373420954 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:31.493527889 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:31.763494015 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:31.765569925 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:31.885435104 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:32.498670101 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:32.618849993 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:32.888725042 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:32.894836903 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:33.014679909 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:33.873394012 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:33.993273973 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:33.993354082 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:34.113276958 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.262810946 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.267586946 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:34.389725924 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.454783916 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.456398010 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:34.576096058 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.582798958 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.585552931 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:34.748487949 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:34.748769999 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:34.868587971 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:44.498305082 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:44.618030071 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:44.618110895 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:44.738284111 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:44.842109919 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:44.887408972 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:44.935605049 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:44.961970091 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:44.962121964 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:45.079370022 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:45.081828117 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:45.083731890 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:45.203593016 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:45.271123886 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:45.273261070 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:45.393003941 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:48.889646053 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:49.009336948 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:49.279664040 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:49.283011913 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:49.404143095 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:52.998497963 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:53.169991016 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:55.295392990 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:55.415285110 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:55.415345907 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:55.535000086 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:55.684382915 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:55.686368942 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:55.806140900 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:55.876208067 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:55.877932072 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:55.997698069 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:55.999633074 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:56.119782925 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:56.389276981 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:56.391216040 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:56.510971069 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:58.451519012 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:58.571240902 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:58.840908051 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:53:58.843235016 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:53:58.965086937 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:00.389143944 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:00.508888960 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:00.779182911 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:00.783683062 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:00.903552055 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:04.139233112 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:04.259155035 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:04.529202938 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:04.530905962 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:04.650741100 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.405181885 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:05.525126934 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.525186062 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:05.646269083 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.646334887 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:05.766280890 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.766360044 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:05.794342995 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.841927052 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:05.928510904 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.928564072 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:05.958461046 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:05.998188019 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.048544884 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.048595905 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.078234911 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.123178959 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.208715916 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.208805084 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.240531921 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.295047045 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.329054117 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.329837084 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.364986897 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.421710014 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.492497921 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.493825912 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.613635063 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:06.733051062 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:06.852938890 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:07.122548103 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:07.127399921 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:07.247159958 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:10.529728889 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:10.650499105 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:10.795393944 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:10.915272951 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:10.917804003 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:10.920295954 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:10.969739914 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:11.080571890 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:11.081864119 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:11.184396982 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:11.201711893 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:11.201885939 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:11.321686983 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:11.376410007 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:11.378092051 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:11.497872114 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:12.592238903 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:12.711930037 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:12.990963936 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:13.037972927 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:13.157666922 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:13.623585939 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:13.745001078 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:14.013417006 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:14.015697002 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:14.135354042 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:15.952461004 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.072621107 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.072679996 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.192965031 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.193025112 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.312895060 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.312968016 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.342457056 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.388876915 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.480427980 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.480660915 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.505072117 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.561775923 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.600645065 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.600739002 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.629705906 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.670105934 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.764424086 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.764606953 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.793421030 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.842370987 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.884607077 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.885859013 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.912569046 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.969770908 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:16.984612942 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:16.984781027 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:17.048485994 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:17.049952030 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:17.104506969 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:17.104520082 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:17.157058954 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:17.169749022 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:17.173922062 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:17.293704033 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:21.732867956 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:21.852718115 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:22.124512911 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:22.126219034 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:22.246030092 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.005897045 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.065821886 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:23.268132925 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:23.387928009 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.436098099 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:23.556423903 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.658723116 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.660873890 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:23.780962944 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.850907087 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:23.854546070 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:23.974464893 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:24.123864889 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:24.244791985 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:24.519618988 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:24.524044991 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:24.643810034 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:27.826881886 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:27.946579933 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:28.221620083 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:28.223861933 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:28.343852043 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:28.348005056 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:28.467776060 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:28.760551929 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:28.767975092 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:28.887649059 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:32.249053001 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:32.368791103 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:32.368918896 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:32.488614082 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:32.649590015 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:32.651849031 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:32.771682024 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:32.839443922 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:32.841253042 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:32.961884975 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:35.201894045 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:35.321582079 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:35.594594002 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:35.596235991 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:35.716006994 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:37.623836994 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:37.743657112 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:37.743721962 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:37.863606930 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:38.022255898 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:38.023977995 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:38.143754005 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:38.214607000 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:38.225270987 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:38.335753918 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:38.345118999 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:38.345177889 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:38.464967966 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:41.358119965 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:41.477952957 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:41.754667997 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:41.756094933 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:41.875987053 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:47.920660019 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.040429115 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.040496111 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.160413027 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.160484076 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.280314922 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.315320969 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.317787886 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.473149061 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.479376078 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.632143021 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.635266066 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.795118093 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.795299053 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:48.956496000 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:48.956628084 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:49.076459885 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:50.045645952 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:50.331223965 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:50.439572096 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:50.444472075 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:50.564378977 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:53.035657883 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:53.077977896 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:58.532177925 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:58.651962996 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:58.926837921 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:54:58.931930065 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:54:59.051676035 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:03.624219894 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:03.743947983 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:03.744012117 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:03.866168976 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:03.866228104 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:03.985904932 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:03.985964060 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.044955015 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.045047998 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.105729103 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.106569052 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.178003073 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.226362944 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.226422071 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.297954082 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.342297077 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.346311092 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.346389055 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.418605089 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.466440916 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.468116045 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.493041039 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.538419008 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.541531086 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.612761974 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.615242004 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:04.661333084 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:04.735085011 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:08.405251980 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:08.524914026 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:08.818147898 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:08.824172974 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:08.944911003 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:09.764714003 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:09.884449959 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:10.195768118 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:10.216773987 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:10.336602926 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.295975924 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:14.416734934 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.416795015 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:14.536503077 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.536587000 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:14.656655073 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.731719017 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.733614922 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:14.853430033 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.923712969 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:14.926084995 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:15.045782089 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:15.045941114 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:15.048109055 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:15.168195963 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:15.237401009 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:15.238976002 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:15.359040022 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:17.453010082 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:17.572762012 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:17.868211985 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:17.870498896 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:17.990936995 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.220324993 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:19.340157032 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.467984915 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:19.587758064 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.587816954 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:19.643256903 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.643332958 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:19.707520008 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.707571030 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:19.763063908 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.827378035 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.891434908 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:19.893542051 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:20.013245106 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.022990942 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.025182962 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:20.192595959 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.205473900 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.207587957 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:20.328960896 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.329018116 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:20.337860107 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.389348984 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:20.496467113 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:20.500231028 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:20.620557070 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:23.012613058 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:23.062125921 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:24.749846935 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:24.869632006 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.138915062 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.186168909 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:25.196464062 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:25.316160917 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.318218946 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:25.438035965 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.717521906 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.719587088 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:25.840049028 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.910003901 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:25.912209988 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:26.032572031 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:26.032649040 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:26.152524948 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:27.032730103 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:27.152770996 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:27.423799992 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:27.426139116 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:27.546987057 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:30.389691114 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:30.512561083 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:30.779175043 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:30.781522989 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:30.903558969 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:31.905365944 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:32.029980898 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:32.300740004 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:32.305069923 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:32.424731970 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:33.467768908 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:33.587564945 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:33.856873989 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:33.859411001 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:33.980052948 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:35.484357119 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:35.604063034 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:35.624063015 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:35.744218111 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:35.744277000 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:35.864052057 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:35.873754978 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:35.879077911 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:36.044483900 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:36.056077003 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:36.058058023 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:36.177828074 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:36.191030025 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:36.202774048 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:36.364480019 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:38.327490091 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:38.447192907 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:38.716717005 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:38.719818115 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:38.839631081 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:45.795991898 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:45.915741920 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:45.915813923 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:46.035655022 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:46.184847116 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:46.188046932 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:46.308291912 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:46.376650095 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:46.378739119 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:46.498627901 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:47.112416983 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:47.232235909 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:47.456337929 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:47.501331091 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:47.545712948 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:47.576174021 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:47.576226950 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:47.696001053 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:47.846221924 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:47.905010939 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:47.959548950 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:48.079356909 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:49.780401945 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:49.900243998 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:50.170507908 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:50.172405958 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:50.292176962 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:50.749454975 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:50.869319916 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:51.138442039 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:51.142268896 CET497051300192.168.2.1087.120.116.179
                Dec 6, 2024 10:55:51.262964964 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:53.035494089 CET13004970587.120.116.179192.168.2.10
                Dec 6, 2024 10:55:53.094278097 CET497051300192.168.2.1087.120.116.179

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:04:51:45
                Start date:06/12/2024
                Path:C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe"
                Imagebase:0x8f0000
                File size:36'864 bytes
                MD5 hash:3B418FCBDD3C8E5B79AE86050618B81D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1248923168.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3686976828.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:20.9%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  execution_graph 4145 7ff7c1321bf8 4146 7ff7c1321c01 SetWindowsHookExW 4145->4146 4148 7ff7c1321cd1 4146->4148

                  Executed Functions

                  Function 00007FF7C132A6A4 Relevance: 2.2, Strings: 1, Instructions: 973COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 7ff7c132a6a4-7ff7c132a6b0 call 7ff7c13205c0 2 7ff7c132a6b5-7ff7c132a700 0->2 7 7ff7c132a702-7ff7c132a71f 2->7 8 7ff7c132a776 2->8 9 7ff7c132a77b-7ff7c132a790 7->9 11 7ff7c132a721-7ff7c132a771 call 7ff7c1329540 7->11 8->9 13 7ff7c132a7a9-7ff7c132a7be 9->13 14 7ff7c132a792-7ff7c132a7a4 call 7ff7c13205d0 9->14 33 7ff7c132b349-7ff7c132b357 11->33 20 7ff7c132a7f1-7ff7c132a806 13->20 21 7ff7c132a7c0-7ff7c132a7ec 13->21 14->33 27 7ff7c132a819-7ff7c132a82e 20->27 28 7ff7c132a808-7ff7c132a814 call 7ff7c1328520 20->28 21->33 37 7ff7c132a830-7ff7c132a833 27->37 38 7ff7c132a874-7ff7c132a889 27->38 28->33 37->8 39 7ff7c132a839-7ff7c132a844 37->39 42 7ff7c132a8ca-7ff7c132a8df 38->42 43 7ff7c132a88b-7ff7c132a88e 38->43 39->8 41 7ff7c132a84a-7ff7c132a86f call 7ff7c13205a8 call 7ff7c1328520 39->41 41->33 50 7ff7c132a90c-7ff7c132a921 42->50 51 7ff7c132a8e1-7ff7c132a8e4 42->51 43->8 45 7ff7c132a894-7ff7c132a89f 43->45 45->8 48 7ff7c132a8a5-7ff7c132a8c5 call 7ff7c13205a8 call 7ff7c1322a60 45->48 48->33 58 7ff7c132a927-7ff7c132a987 call 7ff7c1320530 50->58 59 7ff7c132aa0d-7ff7c132aa22 50->59 51->8 53 7ff7c132a8ea-7ff7c132a907 call 7ff7c13205a8 call 7ff7c1322a68 51->53 53->33 58->8 99 7ff7c132a98d-7ff7c132a9c5 call 7ff7c1328530 58->99 68 7ff7c132aa41-7ff7c132aa56 59->68 69 7ff7c132aa24-7ff7c132aa27 59->69 78 7ff7c132aa78-7ff7c132aa8d 68->78 79 7ff7c132aa58-7ff7c132aa5b 68->79 69->8 72 7ff7c132aa2d-7ff7c132aa37 call 7ff7c1322a40 69->72 77 7ff7c132aa39-7ff7c132aa3c 72->77 77->33 84 7ff7c132aaad-7ff7c132aac2 78->84 85 7ff7c132aa8f-7ff7c132aaa8 78->85 79->8 80 7ff7c132aa61-7ff7c132aa73 call 7ff7c1322a40 79->80 80->33 90 7ff7c132aae2-7ff7c132aaf7 84->90 91 7ff7c132aac4-7ff7c132aadd 84->91 85->33 97 7ff7c132aaf9-7ff7c132ab12 90->97 98 7ff7c132ab17-7ff7c132ab2c 90->98 91->33 97->33 103 7ff7c132ab2e-7ff7c132ab31 98->103 104 7ff7c132ab55-7ff7c132ab6a 98->104 99->8 117 7ff7c132a9cb-7ff7c132a9ea call 7ff7c1328540 99->117 103->8 106 7ff7c132ab37-7ff7c132ab50 103->106 111 7ff7c132ac0a-7ff7c132ac1f 104->111 112 7ff7c132ab70-7ff7c132abbf 104->112 106->33 118 7ff7c132ac37-7ff7c132ac4c 111->118 119 7ff7c132ac21-7ff7c132ac32 111->119 130 7ff7c132abc1-7ff7c132abd1 112->130 131 7ff7c132abd5-7ff7c132abe8 112->131 117->77 132 7ff7c132a9ec-7ff7c132aa08 117->132 127 7ff7c132acec-7ff7c132ad01 118->127 128 7ff7c132ac52-7ff7c132acca 118->128 119->33 136 7ff7c132ad19-7ff7c132ad2e 127->136 137 7ff7c132ad03-7ff7c132ad14 127->137 128->8 160 7ff7c132acd0-7ff7c132ace7 128->160 130->131 131->8 141 7ff7c132abee-7ff7c132ac05 131->141 132->33 148 7ff7c132ad6f-7ff7c132ad84 136->148 149 7ff7c132ad30-7ff7c132ad6a call 7ff7c1320ec0 call 7ff7c1329540 136->149 137->33 141->33 153 7ff7c132ad8a-7ff7c132ae26 call 7ff7c1320ec0 call 7ff7c1329540 148->153 154 7ff7c132ae2b-7ff7c132ae40 148->154 149->33 153->33 162 7ff7c132aece-7ff7c132aee3 154->162 163 7ff7c132ae46-7ff7c132ae49 154->163 160->33 173 7ff7c132aef7-7ff7c132af0c 162->173 174 7ff7c132aee5-7ff7c132aef2 call 7ff7c1329540 162->174 165 7ff7c132ae4b-7ff7c132ae56 163->165 166 7ff7c132aec3-7ff7c132aec8 163->166 165->166 169 7ff7c132ae58-7ff7c132aec1 call 7ff7c1320ec0 call 7ff7c1329540 165->169 180 7ff7c132aec9 166->180 169->180 184 7ff7c132af4d-7ff7c132af62 173->184 185 7ff7c132af0e-7ff7c132af48 call 7ff7c1320ec0 call 7ff7c1329540 173->185 174->33 180->33 192 7ff7c132af68-7ff7c132af79 184->192 193 7ff7c132afed-7ff7c132b002 184->193 185->33 192->8 202 7ff7c132af7f-7ff7c132af8f call 7ff7c13205a0 192->202 204 7ff7c132b042-7ff7c132b057 193->204 205 7ff7c132b004-7ff7c132b007 193->205 213 7ff7c132afcb-7ff7c132afe8 call 7ff7c13205a0 call 7ff7c13205a8 call 7ff7c1322a18 202->213 214 7ff7c132af91-7ff7c132afc6 call 7ff7c1329540 202->214 215 7ff7c132b059-7ff7c132b098 call 7ff7c1329200 call 7ff7c1328100 call 7ff7c1322a20 204->215 216 7ff7c132b09d-7ff7c132b0b2 204->216 205->8 208 7ff7c132b00d-7ff7c132b03d call 7ff7c1320598 call 7ff7c13205a8 call 7ff7c1322a18 205->208 208->33 213->33 214->33 215->33 234 7ff7c132b11c-7ff7c132b131 216->234 235 7ff7c132b0b4-7ff7c132b117 call 7ff7c1320ec0 call 7ff7c1329540 216->235 234->33 252 7ff7c132b137-7ff7c132b168 234->252 235->33 252->33
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3689334897.00007FF7C1320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1320000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff7c1320000_1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31.jbxd
                  Similarity
                  • API ID:
                  • String ID: xM_H
                  • API String ID: 0-2997469637
                  • Opcode ID: 99b2b661c7b594268e13130fc95d4806cfc07649901bb0288ec37b69779558f1
                  • Instruction ID: 399d35e91f9ac77168ff869f39221fa6efe251428fedc3df0e6c799f8ac8fb90
                  • Opcode Fuzzy Hash: 99b2b661c7b594268e13130fc95d4806cfc07649901bb0288ec37b69779558f1
                  • Instruction Fuzzy Hash: 8C625530B1C91A4FEB98FB388455679B2D2FF98364B9146B9D50EC3687DE78EC428740
                  Function 00007FF7C13268F6 Relevance: .5, Instructions: 468COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 496 7ff7c13268f6-7ff7c1326903 497 7ff7c132690e-7ff7c13269d7 496->497 498 7ff7c1326905-7ff7c132690d 496->498 502 7ff7c13269d9-7ff7c13269e2 497->502 503 7ff7c1326a43 497->503 498->497 502->503 505 7ff7c13269e4-7ff7c13269f0 502->505 504 7ff7c1326a45-7ff7c1326a6a 503->504 512 7ff7c1326a6c-7ff7c1326a75 504->512 513 7ff7c1326ad6 504->513 506 7ff7c1326a29-7ff7c1326a41 505->506 507 7ff7c13269f2-7ff7c1326a04 505->507 506->504 508 7ff7c1326a08-7ff7c1326a1b 507->508 509 7ff7c1326a06 507->509 508->508 511 7ff7c1326a1d-7ff7c1326a25 508->511 509->508 511->506 512->513 515 7ff7c1326a77-7ff7c1326a83 512->515 514 7ff7c1326ad8-7ff7c1326b80 513->514 526 7ff7c1326bee 514->526 527 7ff7c1326b82-7ff7c1326b8c 514->527 516 7ff7c1326abc-7ff7c1326ad4 515->516 517 7ff7c1326a85-7ff7c1326a97 515->517 516->514 519 7ff7c1326a99 517->519 520 7ff7c1326a9b-7ff7c1326aae 517->520 519->520 520->520 522 7ff7c1326ab0-7ff7c1326ab8 520->522 522->516 528 7ff7c1326bf0-7ff7c1326c19 526->528 527->526 529 7ff7c1326b8e-7ff7c1326b9b 527->529 535 7ff7c1326c1b-7ff7c1326c26 528->535 536 7ff7c1326c83 528->536 530 7ff7c1326b9d-7ff7c1326baf 529->530 531 7ff7c1326bd4-7ff7c1326bec 529->531 533 7ff7c1326bb1 530->533 534 7ff7c1326bb3-7ff7c1326bc6 530->534 531->528 533->534 534->534 537 7ff7c1326bc8-7ff7c1326bd0 534->537 535->536 538 7ff7c1326c28-7ff7c1326c36 535->538 539 7ff7c1326c85-7ff7c1326d16 536->539 537->531 540 7ff7c1326c38-7ff7c1326c4a 538->540 541 7ff7c1326c6f-7ff7c1326c81 538->541 547 7ff7c1326d1c-7ff7c1326d2b 539->547 542 7ff7c1326c4c 540->542 543 7ff7c1326c4e-7ff7c1326c61 540->543 541->539 542->543 543->543 545 7ff7c1326c63-7ff7c1326c6b 543->545 545->541 548 7ff7c1326d2d 547->548 549 7ff7c1326d33-7ff7c1326d98 call 7ff7c1326db4 547->549 548->549 556 7ff7c1326d9a 549->556 557 7ff7c1326d9f-7ff7c1326db3 549->557 556->557
                  Memory Dump Source
                  • Source File: 00000000.00000002.3689334897.00007FF7C1320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1320000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff7c1320000_1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6d85dc499c25a44f26768446955d55d51d4a1849b17d9e78ac233b2f513ab25
                  • Instruction ID: 55d4a58dd89fb4061be70e1952ce921716a78bf47117c41d0013d175f68cb8af
                  • Opcode Fuzzy Hash: a6d85dc499c25a44f26768446955d55d51d4a1849b17d9e78ac233b2f513ab25
                  • Instruction Fuzzy Hash: AEF1A470A08A8D8FEBA8EF28D8557E977D1FF54310F44427EE84DC7296CB74A9418B81
                  Function 00007FF7C13276A2 Relevance: .5, Instructions: 454COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 558 7ff7c13276a2-7ff7c13276af 559 7ff7c13276ba-7ff7c1327787 558->559 560 7ff7c13276b1-7ff7c13276b9 558->560 564 7ff7c1327789-7ff7c1327792 559->564 565 7ff7c13277f3 559->565 560->559 564->565 566 7ff7c1327794-7ff7c13277a0 564->566 567 7ff7c13277f5-7ff7c132781a 565->567 568 7ff7c13277d9-7ff7c13277f1 566->568 569 7ff7c13277a2-7ff7c13277b4 566->569 574 7ff7c132781c-7ff7c1327825 567->574 575 7ff7c1327886 567->575 568->567 570 7ff7c13277b8-7ff7c13277cb 569->570 571 7ff7c13277b6 569->571 570->570 573 7ff7c13277cd-7ff7c13277d5 570->573 571->570 573->568 574->575 577 7ff7c1327827-7ff7c1327833 574->577 576 7ff7c1327888-7ff7c13278ad 575->576 584 7ff7c132791b 576->584 585 7ff7c13278af-7ff7c13278b9 576->585 578 7ff7c132786c-7ff7c1327884 577->578 579 7ff7c1327835-7ff7c1327847 577->579 578->576 581 7ff7c1327849 579->581 582 7ff7c132784b-7ff7c132785e 579->582 581->582 582->582 583 7ff7c1327860-7ff7c1327868 582->583 583->578 587 7ff7c132791d-7ff7c132794b 584->587 585->584 586 7ff7c13278bb-7ff7c13278c8 585->586 588 7ff7c13278ca-7ff7c13278dc 586->588 589 7ff7c1327901-7ff7c1327919 586->589 593 7ff7c13279bb 587->593 594 7ff7c132794d-7ff7c1327958 587->594 591 7ff7c13278de 588->591 592 7ff7c13278e0-7ff7c13278f3 588->592 589->587 591->592 592->592 595 7ff7c13278f5-7ff7c13278fd 592->595 597 7ff7c13279bd-7ff7c1327a95 593->597 594->593 596 7ff7c132795a-7ff7c1327968 594->596 595->589 598 7ff7c132796a-7ff7c132797c 596->598 599 7ff7c13279a1-7ff7c13279b9 596->599 607 7ff7c1327a9b-7ff7c1327aaa 597->607 600 7ff7c132797e 598->600 601 7ff7c1327980-7ff7c1327993 598->601 599->597 600->601 601->601 603 7ff7c1327995-7ff7c132799d 601->603 603->599 608 7ff7c1327aac 607->608 609 7ff7c1327ab2-7ff7c1327b14 call 7ff7c1327b30 607->609 608->609 616 7ff7c1327b1b-7ff7c1327b2f 609->616 617 7ff7c1327b16 609->617 617->616
                  Memory Dump Source
                  • Source File: 00000000.00000002.3689334897.00007FF7C1320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1320000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff7c1320000_1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 570ce009e074db4b052ef12cb50f3109d33e574d26879636ac106082b75c1f02
                  • Instruction ID: f0741c5c20af9e22fd2f286b2b56297c2bf50640b5210df7f679b3000e647b15
                  • Opcode Fuzzy Hash: 570ce009e074db4b052ef12cb50f3109d33e574d26879636ac106082b75c1f02
                  • Instruction Fuzzy Hash: 89E1A330A08A4D8FEBA8EF28C8597E977D1FF54310F54427ED84DC7296DE78A9418B81
                  Function 00007FF7C1321BF8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 270 7ff7c1321bf8-7ff7c1321bff 271 7ff7c1321c0a-7ff7c1321c7d 270->271 272 7ff7c1321c01-7ff7c1321c09 270->272 275 7ff7c1321d09-7ff7c1321d0d 271->275 276 7ff7c1321c83-7ff7c1321c88 271->276 272->271 277 7ff7c1321c92-7ff7c1321ccf SetWindowsHookExW 275->277 278 7ff7c1321c8f-7ff7c1321c90 276->278 279 7ff7c1321cd7-7ff7c1321d08 277->279 280 7ff7c1321cd1 277->280 278->277 280->279
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.3689334897.00007FF7C1320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1320000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff7c1320000_1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: 414418c9a2c579b4b60a9627876b29a73bffcf920955774daa62a885c1816d09
                  • Instruction ID: a8a6efce894754f718f3e85e8c6592006686e802dc9b027e12fb8427c846f66d
                  • Opcode Fuzzy Hash: 414418c9a2c579b4b60a9627876b29a73bffcf920955774daa62a885c1816d09
                  • Instruction Fuzzy Hash: D841F630A0CA5D4FDB18EF6C98466F9BBE1EF5A321F00427ED049D3292CA75A852C7C1