Edit tour

Windows Analysis Report
png2obj1_XClient.exe

Overview

General Information

Sample name:	png2obj1_XClient.exe (renamed file extension from none to exe)
Original sample name:	png2obj1_XClient
Analysis ID:	1579798
MD5:	24c587128fec0ff6d2b02d8722c0c8c1
SHA1:	25bf1ef6182dd53388b2332bafadc592c9983e0f
SHA256:	7bd6448fe487d0b8998f8da1ea906eb43a26240e8fb47f1f56fb16d5447ec333
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w7x64

png2obj1_XClient.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\png2obj1_XClient.exe" MD5: 24C587128FEC0FF6D2B02D8722C0C8C1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2550:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc4bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25a4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc574:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2634:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc6a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x23ec:$cnc4: POST / HTTP/1.1
Process Memory Space: png2obj1_XClient.exe PID: 3436	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: png2obj1_XClient.exe PID: 3436	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4cd9e:$s8: Win32_ComputerSystem 0x4ce0a:$s8: Win32_ComputerSystem 0xa131:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa1ed:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa277:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9fff:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T08:29:36.963119+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.072506+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.156314+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.305526+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.347949+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.528633+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:41.495696+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:54.017182+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:54.209139+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:58.355118+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:09.032366+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:12.172730+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:14.908491+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:18.426435+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:21.507471+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:22.940928+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:24.050505+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:24.989326+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.409799+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.711844+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.841166+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.025498+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.154642+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.217287+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.996174+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:27.624981+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:28.843193+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:29.035046+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:29.928491+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.324169+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.515940+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.683196+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.154899+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.451123+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.667851+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.787858+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.979463+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:32.448425+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:32.743945+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.052630+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.244399+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.474659+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.781618+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.070035+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.213959+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.332883+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.755273+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.836536+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.957229+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.237262+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.304185+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.663204+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.863241+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:38.873857+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:39.065541+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:39.185603+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:43.694758+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:43.921855+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:44.043092+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:44.163648+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:54.027184+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:56.581329+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:56.836792+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T08:29:37.097312+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.156385+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.217135+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.348870+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.511774+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.917066+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:41.497552+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:54.211359+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:58.358314+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:09.038439+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:12.175483+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:14.910846+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:18.428607+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:21.509496+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:22.942784+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.095334+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.454392+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.714059+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.843148+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.027139+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.156644+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.317757+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.998261+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:27.626999+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:28.845286+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:29.037004+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:30.371563+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:30.517811+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:30.798590+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.157844+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.476211+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.669708+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.789649+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.911039+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.979633+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:32.022533+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:32.451992+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:32.817854+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.114241+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.393998+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.513632+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:38.135361+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:38.447566+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:43.579284+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP

ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T08:29:54.017182+0100	2858801	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.22	49161	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T08:30:27.191059+0100	2858799	1	Malware Command and Control Activity Detected	192.168.2.22	49161	92.255.57.155	4411	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: png2obj1_XClient.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: png2obj1_XClient.exe	ReversingLabs: Detection: 68%
Source: png2obj1_XClient.exe	Virustotal: Detection: 77%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: png2obj1_XClient.exe

Joe Sandbox ML: detected

Source: png2obj1_XClient.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: png2obj1_XClient.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: lib.pdb source: png2obj1_XClient.exe, 00000000.00000002.534882828.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbFramework64\v4.0.30319;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\ source: png2obj1_XClient.exe, 00000000.00000002.535357258.000000001CD1F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbJ source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .pdb+0 source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\en-US\tzres.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\028f9e8b0c8b1820df7bec952b01fe12\System.Windows.Forms.ni.dll.aux	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\7e5e0d92b127a5150606d81839f29044\System.Drawing.ni.dll.aux	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.22:49161 -> 92.255.57.155:4411
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.57.155:4411 -> 192.168.2.22:49161
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.22:49161 -> 92.255.57.155:4411
Source: Network traffic	Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.57.155:4411 -> 192.168.2.22:49161
Source: Network traffic	Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.22:49161 -> 92.255.57.155:4411

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 92.255.57.155

Source: global traffic

TCP traffic: 192.168.2.22:49161 -> 92.255.57.155:4411

Source: Joe Sandbox View

IP Address: 92.255.57.155 92.255.57.155

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155

Source: png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: png2obj1_XClient.exe PID: 3436, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: png2obj1_XClient.exe, 00000000.00000000.350844339.000000000128C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs png2obj1_XClient.exe
Source: png2obj1_XClient.exe, 00000000.00000002.534691848.00000000002ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs png2obj1_XClient.exe
Source: png2obj1_XClient.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs png2obj1_XClient.exe

Source: png2obj1_XClient.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: png2obj1_XClient.exe PID: 3436, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: png2obj1_XClient.exe, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: png2obj1_XClient.exe, -----------------------------------------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: png2obj1_XClient.exe, -----------------------------------------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: png2obj1_XClient.exe, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\o8kSNczORMveFDjV

Source: png2obj1_XClient.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: png2obj1_XClient.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: png2obj1_XClient.exe	ReversingLabs: Detection: 68%
Source: png2obj1_XClient.exe	Virustotal: Detection: 77%

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

File read: C:\Users\user\Desktop\png2obj1_XClient.exe

Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: png2obj1_XClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: png2obj1_XClient.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: lib.pdb source: png2obj1_XClient.exe, 00000000.00000002.534882828.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbFramework64\v4.0.30319;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\ source: png2obj1_XClient.exe, 00000000.00000002.535357258.000000001CD1F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbJ source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .pdb+0 source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: png2obj1_XClient.exe, 00000000.00000002.535288155.000000001BB59000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: png2obj1_XClient.exe, -----------------------------------------.cs	.Net Code: _202B_200C_206B_202B_200F_202E_206A_206B_206F_206A_206F_206D_206B_206B_202B_202E_200B_200D_206C_202C_200E_200C_206B_202B_200C_200E_202E_200B_202A_200D_200C_206E_200B_206E_206E_202A_200B_206D_202A_202C_202E System.AppDomain.Load(byte[])
Source: png2obj1_XClient.exe, -Module-.cs	.Net Code: _202B_202D_200B_200C_202A_206F_206C_206C_200E_200E_202C_206B_200B_200E_202B_202B_200B_206B_200E_206D_206C_202B_200C_206F_206C_202A_200F_206F_206F_202D_206C_206A_206B_206E_202A_200C_202E_206A_200D_200F_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Memory allocated: 230000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Memory allocated: 1A690000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Window / User API: threadDelayed 1386	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Window / User API: threadDelayed 8453	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	Window / User API: foregroundWindowGot 473	Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe TID: 3548	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe TID: 3576	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe TID: 3584	Thread sleep count: 1386 > 30	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe TID: 3584	Thread sleep count: 8453 > 30	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\en-US\tzres.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\028f9e8b0c8b1820df7bec952b01fe12\System.Windows.Forms.ni.dll.aux	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\png2obj1_XClient.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\7e5e0d92b127a5150606d81839f29044\System.Drawing.ni.dll.aux	Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002774000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002748000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002774000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.00000000029EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002774000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002748000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002774000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002748000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002774000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002748000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Queries volume information: C:\Users\user\Desktop\png2obj1_XClient.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\png2obj1_XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: png2obj1_XClient.exe PID: 3436, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: png2obj1_XClient.exe PID: 3436, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
png2obj1_XClient.exe	68%	ReversingLabs	ByteCode-MSIL.Infostealer.Tinba
png2obj1_XClient.exe	78%	Virustotal		Browse
png2obj1_XClient.exe	100%	Avira	TR/Dropper.Gen
png2obj1_XClient.exe	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
92.255.57.155	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	png2obj1_XClient.exe, 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.155	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579798
Start date and time:	2024-12-23 08:28:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	png2obj1_XClient.exe (renamed file extension from none to exe)
Original Sample Name:	png2obj1_XClient
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.93
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, legacywatson.trafficmanager.net
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:29:30	API Interceptor	841656x Sleep call for process: png2obj1_XClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.155	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
92.255.57.155	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155/1/1.png

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	Dm35sdidf3.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	QP2uO3eN2p.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	WErY5oc4hl.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	NLXwvLjXPh.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	mhqxUdpe7V.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	92.255.57.75
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	92.255.57.75

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.442060260254694
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	png2obj1_XClient.exe
File size:	172'032 bytes
MD5:	24c587128fec0ff6d2b02d8722c0c8c1
SHA1:	25bf1ef6182dd53388b2332bafadc592c9983e0f
SHA256:	7bd6448fe487d0b8998f8da1ea906eb43a26240e8fb47f1f56fb16d5447ec333
SHA512:	52a832340bae126eb8d1d6d316f3e9f741e23d73c1d1dca9cf8c096518174d14aa35d83e7e09f075de3afbe4e11bb7120020f4604de132b09590c97eeb3a6ced
SSDEEP:	3072:K2dT8eGZeApZQALXSt+b8aMOjx/S0hXAQltJmDfm0mbmKvD3+Ztm+p6OD/I:DGZeAAA9b5MOjx/S0hXAQltJmDfm0mbY
TLSH:	0EF3599D765076DFC867D872DEA81C64EA6074BB531B9203A02316EDEE4D89BCF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Pg................................. ........@.. ....................................@................................

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x42b3fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675011CD [Wed Dec 4 08:24:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b3a8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x4d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x29404	0x29600	39930a7769bf92556bcd6d79fbafdade	False	0.41033327039274925	data	5.4484487095064065	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x4d0	0x600	b96ace240ba3c99bbb9761e4e8dd22a1	False	0.3756510416666667	data	3.7307785693156315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0xc	0x200	bfe7ebb58020353c73f346783fabca80	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2c0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0x2c2e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T08:29:36.402195+0100	2858800	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:36.963119+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.072506+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.097312+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.156314+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.156385+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.217135+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.305526+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.347949+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.348870+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.511774+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:37.528633+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:37.917066+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:41.495696+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:41.497552+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:54.017182+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:54.017182+0100	2858801	ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:54.209139+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:54.211359+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:29:58.355118+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:29:58.358314+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:09.032366+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:09.038439+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:12.172730+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:12.175483+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:14.908491+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:14.910846+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:18.426435+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:18.428607+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:21.507471+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:21.509496+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:22.940928+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:22.942784+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:24.050505+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:24.989326+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.095334+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.409799+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.454392+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.711844+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.714059+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:25.841166+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:25.843148+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.025498+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.027139+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.154642+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.156644+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.217287+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.317757+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:26.996174+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:26.998261+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:27.191059+0100	2858799	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:27.624981+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:27.626999+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:28.843193+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:28.845286+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:29.035046+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:29.037004+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:29.928491+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.324169+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.371563+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:30.515940+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.517811+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:30.683196+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:30.798590+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.154899+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.157844+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.451123+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.476211+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.667851+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.669708+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.787858+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.789649+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.911039+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:31.979463+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:31.979633+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:32.022533+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:32.448425+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:32.451992+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:32.743945+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:32.817854+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.052630+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.114241+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.244399+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.393998+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.474659+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:33.513632+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:33.781618+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.070035+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.213959+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.332883+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.755273+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.836536+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:34.957229+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.237262+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.304185+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.663204+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:35.863241+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:38.135361+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:38.447566+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:38.873857+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:39.065541+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:39.185603+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:43.579284+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.22	49161	92.255.57.155	4411	TCP
2024-12-23T08:30:43.694758+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:43.921855+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:44.043092+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:44.163648+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:54.027184+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:56.581329+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP
2024-12-23T08:30:56.836792+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.22	49161	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 08:29:34.923965931 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:35.043627024 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:35.043692112 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.282519102 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.402147055 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:36.402194977 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.521847963 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:36.521905899 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.641501904 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:36.641563892 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.761101007 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:36.761152983 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.880642891 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:36.880702019 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:36.963119030 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.000355005 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.072505951 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.072587967 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.097311974 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.156313896 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.156384945 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.216988087 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.217134953 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.275834084 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.305526018 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.347949028 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.348870039 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.509669065 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.511774063 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.528633118 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.631294012 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:37.800860882 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:37.917066097 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:38.036673069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:41.061572075 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:41.181164980 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:41.495696068 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:41.497551918 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:41.617085934 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:53.542082071 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:53.661923885 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:54.017182112 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:54.209139109 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:54.209245920 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:54.211359024 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:54.331470966 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:57.918354988 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:58.038247108 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:58.355118036 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:29:58.358314037 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:29:58.477917910 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:08.596164942 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:08.715892076 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:09.032366037 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:09.038439035 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:09.158231020 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:11.738554001 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:11.858263969 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:12.172729969 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:12.175482988 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:12.294997931 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:14.474014997 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:14.594019890 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:14.908490896 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:14.910845995 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:15.030527115 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:17.986890078 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:18.106388092 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:18.426434994 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:18.428606987 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:18.548116922 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:20.947870970 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:21.067343950 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:21.507471085 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:21.509495974 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:21.628976107 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:22.495417118 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:22.614968061 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:22.940927982 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:22.942784071 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:23.062360048 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:24.050504923 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:24.257886887 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:24.554672003 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:24.674288988 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:24.975764990 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:24.989326000 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.095242023 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.095334053 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.214812040 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.214947939 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.334489107 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.334609985 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.409799099 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.409945011 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.454305887 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.454391956 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.529613018 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.529727936 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.573909998 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.649274111 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.711843967 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.714059114 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:25.833652020 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.841166019 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:25.843147993 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:26.005721092 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.025497913 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.027138948 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:26.146945953 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.154642105 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.156644106 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:26.217287064 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.317688942 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.317756891 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:26.437253952 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.437362909 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:26.556875944 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.996174097 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:26.998260975 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:27.117821932 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:27.191059113 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:27.310640097 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:27.624980927 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:27.626998901 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:27.746494055 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:28.407784939 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:28.527358055 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:28.548472881 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:28.667954922 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:28.843193054 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:28.845285892 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:28.964811087 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:29.035046101 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:29.037003994 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:29.156580925 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:29.484173059 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:29.604214907 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:29.889736891 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:29.928491116 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.009202003 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.009305000 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:30.128948927 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.129158020 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:30.248719931 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.324168921 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.371562958 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:30.491086960 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.515939951 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.517811060 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:30.677753925 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.677886963 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:30.683196068 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.798511982 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.798589945 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:30.918210983 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:30.918265104 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.038146019 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.038206100 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.154898882 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.154985905 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.157790899 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.157844067 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.274432898 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.277498007 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.356067896 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.451122999 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.476151943 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.476211071 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.596692085 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.667850971 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.669708014 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.787858009 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.789278984 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.789649010 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.902580976 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.902667999 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.910990000 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.911039114 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:31.979463100 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:31.979633093 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.022422075 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.022532940 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.030605078 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.099406004 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.143274069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.143616915 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.270694971 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.448425055 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.451992035 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.575295925 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.575340986 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.695161104 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.698070049 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.743944883 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.817745924 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.817853928 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:32.937561989 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:32.994438887 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.052629948 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.114154100 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.114240885 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.234092951 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.234158039 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.244399071 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.393891096 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.393997908 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.474658966 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.474736929 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.513591051 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.513632059 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.594343901 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.594413042 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.633475065 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.714078903 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.714210987 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.781618118 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.781713963 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.833869934 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.833961010 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.901398897 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:33.901511908 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:33.953625917 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.021167994 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.021240950 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.070034981 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.213958979 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.214071035 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.332882881 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.332953930 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.441793919 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.441852093 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.452650070 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.524815083 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.524863005 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.561378002 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.561433077 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.644383907 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.644433975 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.644594908 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.737894058 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.755273104 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.755362988 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.769198895 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.800056934 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.836535931 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.836575031 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.925234079 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:34.925297022 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:34.957228899 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.015383005 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.048083067 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.048139095 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.071283102 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.209918022 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.210036039 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.237262011 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.237317085 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.304184914 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.304238081 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.333266973 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.357237101 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.425230980 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.425281048 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.429250956 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.429297924 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.550024986 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.550043106 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.550074100 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.663203955 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.663288116 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.719336987 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.719430923 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.782849073 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.782902956 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.841245890 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.841888905 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.863240957 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.863303900 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.945914984 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.945997953 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:35.961708069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.974879026 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:35.974937916 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.029871941 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.029979944 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.031125069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.065597057 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.065660000 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.095127106 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.095180988 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.150753975 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.150813103 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.153382063 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.214859009 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.214920998 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.287010908 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.287080050 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.406727076 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.406740904 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.406800985 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.521766901 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.521812916 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.641369104 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.641590118 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.718545914 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.718606949 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.833425999 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.833498955 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:36.953933954 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.954042912 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:36.954111099 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.030127048 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.030191898 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.145086050 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.145159006 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.264766932 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.264863014 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.270411015 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.270925999 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.390476942 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.390692949 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.463377953 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.463514090 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.576771021 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.577234983 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.697066069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.697623968 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.697659969 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:37.822824955 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:37.823137999 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.001645088 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.009221077 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.135179043 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.135360956 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.321120024 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.417629004 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.447465897 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.447566032 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.512819052 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.512872934 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.567207098 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.567280054 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.639213085 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.639276981 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.758955002 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.759031057 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.873857021 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.873919010 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:38.993546963 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:38.993623018 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.065541029 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.065618992 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.185522079 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.185589075 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.185602903 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.301652908 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.301712990 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.377408981 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.377530098 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.497205019 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.497461081 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.613256931 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.613708973 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.733342886 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.733544111 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.808993101 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.809276104 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.928936958 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.929065943 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:39.970612049 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:39.970822096 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.041707993 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.041910887 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.090758085 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.091005087 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.120982885 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.121087074 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.210640907 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.210854053 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.233532906 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.233864069 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.330440998 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.330498934 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.353538990 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.353604078 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.473201990 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.473262072 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.522381067 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.522428989 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.641978979 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.642049074 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.642086029 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.761645079 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.761707067 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.813877106 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.813946962 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.833833933 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.881395102 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.881458998 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.933587074 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.933655024 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:40.953627110 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:40.953687906 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.045979023 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.046037912 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.053216934 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.073389053 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.073432922 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.125799894 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.125866890 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.165704012 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.165760040 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.192994118 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.245194912 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.245246887 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.245353937 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.285370111 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.285429955 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.357875109 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.361342907 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.364917994 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.365052938 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.404974937 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.407463074 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.477443933 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.481056929 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.481101990 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.484566927 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.487477064 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.527111053 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.527350903 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.597084999 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.599498034 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.607096910 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.607274055 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.717892885 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.719079971 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.719206095 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.769864082 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.773297071 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.838812113 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.838885069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.839061022 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.933803082 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.937325954 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:41.958694935 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:41.958795071 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.030971050 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.031754017 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.057118893 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.059478045 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.078413010 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.081338882 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.085146904 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.179236889 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.181312084 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.245892048 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.248394012 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.249011040 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.300949097 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.301054001 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.318387985 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.318434000 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.409862041 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.409914017 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.420650959 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.420711040 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.438019991 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.440758944 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.440804005 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.540430069 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.540488958 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.559969902 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.605945110 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.606007099 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.660114050 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.660177946 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.721575022 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.721626997 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.725639105 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.725687981 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.779798031 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.779850960 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.841239929 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.841290951 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:42.845216990 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.852013111 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.917506933 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:42.917613983 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.001899958 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.037252903 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.070753098 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.191044092 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.191118002 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.203767061 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.203815937 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.323414087 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.327518940 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.383054018 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.387465000 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.489839077 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.489962101 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.502903938 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.507122040 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.574860096 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.579283953 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.609873056 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.610383034 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.694757938 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.695015907 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.698900938 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.729985952 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.731323957 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.801863909 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.802092075 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.814663887 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.814809084 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.851022959 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.851228952 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.921789885 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.921854973 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.927350998 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:43.970777988 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:43.971005917 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.043092012 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.043358088 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.090600014 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.090739965 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.163647890 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.163774014 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.211184025 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.211321115 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.283590078 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.286310911 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.331715107 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.331783056 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.403243065 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.403356075 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.452312946 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.452370882 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.522895098 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.522953033 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.571918964 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.643368006 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.643426895 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.764678001 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.764739990 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:44.881623983 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:44.881762981 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.002312899 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.002372026 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.073498964 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.073550940 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.193176031 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.193240881 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.194242001 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.194294930 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.305783987 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.305857897 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.313824892 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.313875914 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.385119915 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.386010885 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.433585882 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.497526884 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.617518902 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:45.617588043 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:45.849703074 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:46.042392969 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:46.044608116 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:54.027184010 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:54.241132021 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:56.139863968 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:56.385899067 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:56.385968924 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:56.505568027 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:56.581329107 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:56.743029118 CET	49161	4411	192.168.2.22	92.255.57.155
Dec 23, 2024 08:30:56.836791992 CET	4411	49161	92.255.57.155	192.168.2.22
Dec 23, 2024 08:30:56.836862087 CET	49161	4411	192.168.2.22	92.255.57.155

Target ID:	0
Start time:	02:29:29
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\png2obj1_XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\png2obj1_XClient.exe"
Imagebase:	0x1260000
File size:	172'032 bytes
MD5 hash:	24C587128FEC0FF6D2B02D8722C0C8C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.534955459.0000000002691000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report png2obj1_XClient.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
png2obj1_XClient.exe