Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe

Overview

General Information

Sample name:17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe
Analysis ID:1587331
MD5:d7edb2f9bd829d3177dafbbae2e1ab6f
SHA1:bf8fdcda459d9b9ada2ace6877e5b00a24db617e
SHA256:7bb9c8a49a6734d2c337285564566120807b5e85c78f6eae8c3a0ffc4c882213
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6417:$str01: $VB$Local_Port
    • 0x6408:$str02: $VB$Local_Host
    • 0x670c:$str03: get_Jpeg
    • 0x60c7:$str04: get_ServicePack
    • 0x715a:$str05: Select * from AntivirusProduct
    • 0x7358:$str06: PCRestart
    • 0x736c:$str07: shutdown.exe /f /r /t 0
    • 0x741e:$str08: StopReport
    • 0x73f4:$str09: StopDDos
    • 0x74f6:$str10: sendPlugin
    • 0x76a2:$str12: -ExecutionPolicy Bypass -File "
    • 0x77cb:$str13: Content-length: 5235
    17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7ad5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7bea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76e6:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7838:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74e6:$cnc4: POST / HTTP/1.1
      00000000.00000002.4601622919.0000000003081000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe PID: 7128JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6417:$str01: $VB$Local_Port
            • 0x6408:$str02: $VB$Local_Host
            • 0x670c:$str03: get_Jpeg
            • 0x60c7:$str04: get_ServicePack
            • 0x715a:$str05: Select * from AntivirusProduct
            • 0x7358:$str06: PCRestart
            • 0x736c:$str07: shutdown.exe /f /r /t 0
            • 0x741e:$str08: StopReport
            • 0x73f4:$str09: StopDDos
            • 0x74f6:$str10: sendPlugin
            • 0x76a2:$str12: -ExecutionPolicy Bypass -File "
            • 0x77cb:$str13: Content-length: 5235
            0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7a38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7ad5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7bea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76e6:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T07:50:29.717657+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:50:40.565114+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:50:44.461065+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:50:59.226839+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:10.588541+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:13.977555+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:28.727222+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:37.148426+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:37.248985+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:40.591447+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:47.320543+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:47.412892+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:57.431339+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:57.530787+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:57.629806+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:57.728771+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:57.928258+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:58.032178+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:58.667936+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:10.578092+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:10.797970+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:11.210800+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:11.804511+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:11.903973+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:12.804282+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:12.906223+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:13.243294+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:13.332473+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:13.426310+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:13.525631+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:13.625435+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:15.475671+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:30.132065+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:37.929577+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:40.582574+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:49.444894+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:49.538142+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:49.614472+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:49.714108+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:49.813756+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:54.023401+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:54.439652+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:55.321103+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:57.460689+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:05.492233+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:05.584704+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:05.684567+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:07.383152+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:10.570196+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:21.306197+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:21.398576+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:21.498037+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:21.635705+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:24.213376+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:27.332057+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:40.582254+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:41.101640+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:42.993122+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:43.097946+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:47.491331+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:47.590988+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:47.690564+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:47.789798+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:57.023148+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:57.913893+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:58.228357+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:01.243897+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:06.164286+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:08.295941+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:10.583468+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:11.601420+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:13.585735+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:13.685839+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:13.903890+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:16.913719+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T07:50:29.772872+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:50:44.463087+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:50:59.229730+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:13.979670+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:28.740868+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:37.151651+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:37.251518+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:47.324620+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:47.445944+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:47.546438+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:47.551431+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.433457+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.578094+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.631545+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.730971+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.830937+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.838170+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:57.934747+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:58.042961+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:51:58.677779+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:11.213083+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:11.806721+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:11.906431+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:12.808931+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:12.909683+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:13.245401+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:13.334558+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:13.428381+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:13.527772+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:13.627676+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:13.754477+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:15.477961+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:30.141988+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:37.932049+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.448189+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.539947+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.616559+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.716295+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.815489+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.918869+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.926014+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:49.934052+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:54.035294+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:54.448749+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:55.323602+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:52:57.503350+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:05.501132+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:05.587124+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:05.686847+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:07.385875+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:21.309273+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:21.400710+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:21.500696+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:21.637478+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:24.216098+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:27.334503+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:41.107047+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:43.000696+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:43.099976+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:47.493672+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:47.593258+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:47.692392+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:47.791677+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:57.025676+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:57.915848+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:53:58.232476+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:01.512682+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:06.169367+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:08.301261+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:11.603525+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:13.588487+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:13.688052+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:13.906210+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            2025-01-10T07:54:16.914636+010028529231Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T07:50:40.565114+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:10.588541+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:51:40.591447+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:10.578092+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:10.797970+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:52:40.582574+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:10.570196+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:53:40.582254+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            2025-01-10T07:54:10.583468+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.549715TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T07:51:57.641011+010028531931Malware Command and Control Activity Detected192.168.2.54971587.120.116.1791300TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeReversingLabs: Detection: 84%
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeVirustotal: Detection: 70%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeString decryptor: 87.120.116.179
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeString decryptor: 1300
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeString decryptor: <123456789>
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeString decryptor: 09-01-25
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeString decryptor: USB.exe
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49715 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.5:49715
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49715 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.5:49715
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49715 -> 87.120.116.179:1300
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 87.120.116.179
            Source: global trafficTCP traffic: 192.168.2.5:49715 -> 87.120.116.179:1300
            Source: Joe Sandbox ViewIP Address: 87.120.116.179 87.120.116.179
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, 00000000.00000002.4601622919.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeCode function: 0_2_00007FF8488467160_2_00007FF848846716
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeCode function: 0_2_00007FF8488474C20_2_00007FF8488474C2
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeCode function: 0_2_00007FF8488428000_2_00007FF848842800
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, 00000000.00000000.2147781006.0000000000EAC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameproblema.exe4 vs 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeBinary or memory string: OriginalFilenameproblema.exe4 vs 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\EV6OqLeL7a2Ronpg
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeReversingLabs: Detection: 84%
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeVirustotal: Detection: 70%
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeCode function: 0_2_00007FF8488429FA push eax; iretd 0_2_00007FF848842A11
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeCode function: 0_2_00007FF848842858 pushad ; retf 0_2_00007FF8488429D1
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeCode function: 0_2_00007FF848842858 push eax; iretd 0_2_00007FF848842A11
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMemory allocated: 1B080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeWindow / User API: threadDelayed 9115Jump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeWindow / User API: threadDelayed 724Jump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe TID: 5900Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe TID: 6620Thread sleep count: 9115 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe TID: 6620Thread sleep count: 724 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, 00000000.00000002.4603422911.000000001C010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, 00000000.00000002.4600944566.0000000001386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4601622919.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe PID: 7128, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe.ea0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4601622919.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe PID: 7128, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		OS Credential Dumping221
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Obfuscated Files or Information            		Security Account Manager232
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe71%VirustotalBrowse
            17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe100%AviraTR/Spy.Gen
            17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            87.120.116.1790%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            87.120.116.179true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe, 00000000.00000002.4601622919.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.116.179
              		unknownBulgaria
              		25206UNACS-AS-BG8000BurgasBGtrue

              General Information

              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1587331
              Start date and time:2025-01-10 07:49:07 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 26s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 4
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50, 40.126.32.136
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

              Simulations

              Behavior and APIs

              TimeTypeDescription
              01:50:13API Interceptor14047168x Sleep call for process: 17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              87.120.116.17917363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeGet hashmaliciousXWormBrowse
                17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                  173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exeGet hashmaliciousXWormBrowse
                      1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeGet hashmaliciousXWormBrowse
                        17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeGet hashmaliciousXWormBrowse
                          17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            UNACS-AS-BG8000BurgasBGMaterial Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                            • 87.120.116.245
                            Material requirements_1.pif.exeGet hashmaliciousRemcosBrowse
                            • 87.120.116.245
                            17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeGet hashmaliciousXWormBrowse
                            • 87.120.116.179
                            17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                            • 87.120.116.179
                            Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                            • 87.120.113.91
                            3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                            • 87.120.126.5
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 87.120.125.47
                            file.exeGet hashmaliciousDcRat, JasonRATBrowse
                            • 87.120.113.91
                            009274965.lnkGet hashmaliciousDarkVision RatBrowse
                            • 87.120.113.91
                            hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                            • 87.120.115.216

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.611655998985715
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe
                            File size:36'864 bytes
                            MD5:d7edb2f9bd829d3177dafbbae2e1ab6f
                            SHA1:bf8fdcda459d9b9ada2ace6877e5b00a24db617e
                            SHA256:7bb9c8a49a6734d2c337285564566120807b5e85c78f6eae8c3a0ffc4c882213
                            SHA512:8fe98cd0e925f4e5a661cfc40a8e77caca9905d90b66a47e735ca21bae67b879ea2e6e8ba1288714534d7b7178ecf741a79546c385b00add1fe12a526b34d104
                            SSDEEP:768:OL13A5Uno9RfHWa2BLyeo8icH1bxbFb9EPOMh9QXvO:4xA5Uno9JHWX+eNicH1bBFb9EPOMz6O
                            TLSH:4FF24C48BBE04216D9ED6BF5A97372020274E613D917EB4E4CD48AD76F27BC48D013EA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..g................................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x40a5ee
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x677FC34B [Thu Jan 9 12:38:35 2025 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa5980x53.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4e0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x85f40x8600c6cafffae732f8047c6132c24f143f1aFalse0.49903801305970147data5.747106887306253IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xc0000x4e00x600e5d58183f8f460c6f660033d5a3ee884False0.375data3.7166150004354077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xe0000xc0x200fd3ac7fbb8a34dc91e775b7c64e87bbcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xc0a00x24cdata0.467687074829932
                            RT_MANIFEST0xc2f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-01-10T07:50:29.538989+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:50:29.717657+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:50:29.772872+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:50:40.565114+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:50:40.565114+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:50:44.461065+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:50:44.463087+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:50:59.226839+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:50:59.229730+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:10.588541+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:10.588541+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:13.977555+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:13.979670+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:28.727222+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:28.740868+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:37.148426+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:37.151651+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:37.248985+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:37.251518+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:40.591447+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:40.591447+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:47.320543+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:47.324620+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:47.412892+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:47.445944+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:47.546438+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:47.551431+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.431339+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:57.433457+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.530787+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:57.578094+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.629806+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:57.631545+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.641011+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.728771+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:57.730971+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.830937+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.838170+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:57.928258+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:57.934747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:58.032178+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:58.042961+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:51:58.667936+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:51:58.677779+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:10.578092+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:10.578092+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:10.797970+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:10.797970+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:11.210800+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:11.213083+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:11.804511+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:11.806721+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:11.903973+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:11.906431+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:12.804282+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:12.808931+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:12.906223+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:12.909683+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:13.243294+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:13.245401+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:13.332473+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:13.334558+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:13.426310+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:13.428381+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:13.525631+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:13.527772+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:13.625435+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:13.627676+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:13.754477+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:15.475671+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:15.477961+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:30.132065+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:30.141988+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:37.929577+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:37.932049+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:40.582574+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:40.582574+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:49.444894+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:49.448189+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.538142+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:49.539947+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.614472+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:49.616559+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.714108+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:49.716295+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.813756+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:49.815489+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.918869+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.926014+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:49.934052+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:54.023401+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:54.035294+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:54.439652+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:54.448749+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:55.321103+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:55.323602+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:52:57.460689+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:52:57.503350+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:05.492233+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:05.501132+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:05.584704+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:05.587124+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:05.684567+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:05.686847+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:07.383152+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:07.385875+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:10.570196+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:10.570196+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:21.306197+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:21.309273+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:21.398576+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:21.400710+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:21.498037+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:21.500696+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:21.635705+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:21.637478+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:24.213376+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:24.216098+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:27.332057+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:27.334503+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:40.582254+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:40.582254+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:41.101640+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:41.107047+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:42.993122+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:43.000696+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:43.097946+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:43.099976+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:47.491331+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:47.493672+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:47.590988+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:47.593258+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:47.690564+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:47.692392+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:47.789798+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:47.791677+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:57.023148+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:57.025676+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:57.913893+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:57.915848+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:53:58.228357+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:53:58.232476+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:01.243897+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:01.512682+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:06.164286+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:06.169367+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:08.295941+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:08.301261+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:10.583468+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:10.583468+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:11.601420+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:11.603525+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:13.585735+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:13.588487+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:13.685839+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:13.688052+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:13.903890+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:13.906210+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP
                            2025-01-10T07:54:16.913719+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.549715TCP
                            2025-01-10T07:54:16.914636+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971587.120.116.1791300TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 10, 2025 07:50:14.577109098 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:14.581937075 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:14.582060099 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:14.785727978 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:14.790558100 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:29.538989067 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:29.544063091 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:29.717657089 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:29.765738964 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:29.772871971 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:29.777715921 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:40.565114021 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:40.609522104 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:44.282058001 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:44.286942959 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:44.461065054 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:44.463087082 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:44.467888117 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:59.048437119 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:59.053380013 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:59.226839066 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:50:59.229729891 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:50:59.234668016 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:10.588541031 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:10.640758038 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:13.797564030 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:13.803136110 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:13.977555037 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:13.979670048 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:13.984536886 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:28.547391891 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:28.552237988 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:28.727221966 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:28.740868092 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:28.745769978 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:36.969357014 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:36.974129915 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:37.016231060 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:37.021060944 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:37.148426056 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:37.151650906 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:37.156533003 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:37.248985052 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:37.251518011 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:37.256318092 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:40.591447115 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:40.640969038 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.141206026 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.146040916 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.156966925 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.162019968 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.172312975 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.177267075 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.187958956 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.194726944 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.320543051 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.324620008 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.329438925 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.412892103 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.445944071 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.450860977 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.543410063 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.546437979 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.551372051 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:47.551430941 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:47.556253910 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.250608921 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.255505085 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.266138077 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.272317886 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.281639099 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.286537886 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.375463963 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.380343914 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.431339025 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.433456898 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.438357115 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.469247103 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.474118948 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.484797955 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.489671946 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.530786991 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.532474041 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.578033924 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.578094006 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.582940102 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.629806042 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.631545067 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.636329889 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.641011000 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.645876884 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.728770971 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.730971098 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.735831976 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.828174114 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.830936909 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.835839033 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.838170052 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.842986107 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.928257942 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:57.934746981 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:57.939651012 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:58.032177925 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:58.042960882 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:58.048297882 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:58.485049963 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:58.489999056 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:58.667936087 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:51:58.677778959 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:51:58.682698965 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:10.578092098 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:10.797970057 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:10.801856995 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.031750917 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.036881924 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.210799932 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.213083029 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.217890978 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.625613928 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.630481958 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.657191038 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.661943913 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.804511070 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.806720972 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.811564922 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.903973103 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:11.906430960 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:11.911256075 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:12.625448942 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:12.630357981 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:12.696944952 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:12.701756954 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:12.804281950 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:12.808931112 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:12.813844919 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:12.906223059 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:12.909682989 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:12.914556026 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.016210079 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.021194935 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.094300985 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.099240065 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.125948906 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.130923986 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.188201904 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.193109989 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.235131979 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.240056992 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.243294001 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.245400906 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.294090986 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.328954935 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.332473040 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.333856106 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.334558010 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.339397907 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.345000982 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.349817991 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.360938072 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.365874052 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.426310062 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.428380966 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.433271885 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.525630951 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.527771950 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.532934904 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.625435114 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.627676010 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.632599115 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.725008011 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.754477024 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.759383917 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:13.759464025 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:13.764343977 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:15.203814030 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:15.315304995 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:15.475671053 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:15.477961063 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:15.482721090 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:29.953568935 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:29.958504915 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:30.132065058 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:30.141988039 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:30.146835089 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:37.750370026 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:37.755310059 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:37.929577112 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:37.932049036 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:37.936862946 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:40.582573891 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:40.625125885 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.266165018 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.271079063 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.281724930 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.286669016 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.391071081 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.396049023 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.444894075 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.448189020 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.453057051 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.484935045 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.489901066 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.516005993 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.520936966 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.531547070 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.537260056 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.538141966 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.539947033 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.586007118 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.586095095 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.590919018 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.614471912 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.616559029 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.662054062 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.714107990 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.716295004 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.721241951 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.813755989 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.815489054 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.820362091 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.913033962 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.918869019 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.923830986 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.926013947 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.930880070 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:49.934051991 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:49.938927889 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:53.844435930 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:53.849442005 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:54.023401022 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:54.035294056 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:54.040321112 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:54.189084053 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:54.194133043 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:54.439651966 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:54.448749065 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:54.453680992 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:55.141319036 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:55.146363020 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:55.321103096 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:55.323601961 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:55.328481913 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:57.282068014 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:57.286993027 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:57.460689068 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:52:57.503350019 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:52:57.508299112 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.312963009 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:05.317967892 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.344162941 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:05.349155903 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.359848976 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:05.364635944 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.492233038 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.501132011 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:05.506330967 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.584703922 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.587124109 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:05.592060089 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.684566975 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:05.686846972 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:05.691792011 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:07.203983068 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:07.208961964 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:07.383152008 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:07.385874987 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:07.390806913 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:10.570195913 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:10.782788038 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.109946966 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.115025043 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.141231060 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.146155119 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.266144991 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.271092892 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.306196928 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.309273005 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.358037949 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.359986067 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.364940882 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.398576021 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.400710106 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.446042061 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.498037100 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.500695944 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.505614042 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.635704994 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:21.637478113 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:21.642445087 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:24.033191919 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:24.038218021 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:24.213376045 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:24.216098070 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:24.221860886 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:27.109827042 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:27.114762068 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:27.332056999 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:27.334502935 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:27.339411020 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:40.582253933 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:40.625140905 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:40.922935963 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:40.928194046 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:41.101639986 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:41.107047081 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:41.114569902 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:42.813868999 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:42.818962097 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:42.828928947 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:42.833729029 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:42.993122101 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:43.000695944 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:43.005598068 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:43.097945929 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:43.099976063 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:43.104932070 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.313127041 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.318085909 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.360045910 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.364955902 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.406874895 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.411863089 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.422470093 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.427416086 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.491331100 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.493671894 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.498564959 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.590987921 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.593257904 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.598138094 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.690563917 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.692392111 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.697310925 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.789798021 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:47.791676998 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:47.796540022 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:56.844347000 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:56.849343061 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:57.023148060 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:57.025676012 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:57.030580997 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:57.735001087 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:57.739898920 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:57.913892984 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:57.915848017 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:57.920722961 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:58.047442913 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:58.052437067 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:58.228357077 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:53:58.232475996 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:53:58.237309933 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:01.065080881 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:01.069998980 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:01.243896961 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:01.343907118 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:01.512681961 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:01.519063950 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:05.984968901 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:05.990040064 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:06.164285898 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:06.169367075 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:06.174293041 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:08.110215902 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:08.115349054 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:08.295941114 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:08.301260948 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:08.306250095 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:10.583467960 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:10.642880917 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:11.422513008 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:11.427408934 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:11.601419926 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:11.603524923 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:11.608374119 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.406821966 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:13.411912918 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.422283888 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:13.427290916 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.585735083 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.588486910 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:13.593394041 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.672872066 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:13.677866936 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.685838938 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.688051939 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:13.734035015 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.903889894 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:13.906209946 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:13.911168098 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:16.734891891 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:16.739865065 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:16.913718939 CET13004971587.120.116.179192.168.2.5
                            Jan 10, 2025 07:54:16.914635897 CET497151300192.168.2.587.120.116.179
                            Jan 10, 2025 07:54:16.919466972 CET13004971587.120.116.179192.168.2.5

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:01:50:10
                            Start date:10/01/2025
                            Path:C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exe"
                            Imagebase:0xea0000
                            File size:36'864 bytes
                            MD5 hash:D7EDB2F9BD829D3177DAFBBAE2E1AB6F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2147758981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4601622919.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:21.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 4492 7ff848841be8 4493 7ff848841bf1 SetWindowsHookExW 4492->4493 4495 7ff848841cc1 4493->4495

                              Executed Functions

                              Function 00007FF848842800 Relevance: 2.4, Strings: 1, Instructions: 1140COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ff848842800-7ff84884a693 2 7ff84884a6dd-7ff84884a6f0 0->2 3 7ff84884a695-7ff84884a6a0 call 7ff8488405c0 0->3 4 7ff84884a766 2->4 5 7ff84884a6f2-7ff84884a70f 2->5 7 7ff84884a6a5-7ff84884a6da 3->7 8 7ff84884a76b-7ff84884a780 4->8 5->8 10 7ff84884a711-7ff84884a761 call 7ff848849360 5->10 7->2 13 7ff84884a799-7ff84884a7ae 8->13 14 7ff84884a782-7ff84884a794 call 7ff8488405d0 8->14 35 7ff84884b339-7ff84884b347 10->35 22 7ff84884a7b0-7ff84884a7dc 13->22 23 7ff84884a7e1-7ff84884a7f6 13->23 14->35 22->35 29 7ff84884a7f8-7ff84884a804 call 7ff848848340 23->29 30 7ff84884a809-7ff84884a81e 23->30 29->35 39 7ff84884a864-7ff84884a879 30->39 40 7ff84884a820-7ff84884a823 30->40 44 7ff84884a8ba-7ff84884a8cf 39->44 45 7ff84884a87b-7ff84884a87e 39->45 40->4 41 7ff84884a829-7ff84884a834 40->41 41->4 43 7ff84884a83a-7ff84884a85f call 7ff8488405a8 call 7ff848848340 41->43 43->35 52 7ff84884a8fc-7ff84884a911 44->52 53 7ff84884a8d1-7ff84884a8d4 44->53 45->4 47 7ff84884a884-7ff84884a88f 45->47 47->4 50 7ff84884a895-7ff84884a8b5 call 7ff8488405a8 call 7ff848842850 47->50 50->35 60 7ff84884a9fd-7ff84884aa12 52->60 61 7ff84884a917-7ff84884a977 call 7ff848840530 52->61 53->4 55 7ff84884a8da-7ff84884a8f7 call 7ff8488405a8 call 7ff848842858 53->55 55->35 70 7ff84884aa14-7ff84884aa17 60->70 71 7ff84884aa31-7ff84884aa46 60->71 61->4 103 7ff84884a97d-7ff84884a9b5 call 7ff848848350 61->103 70->4 74 7ff84884aa1d-7ff84884aa25 70->74 80 7ff84884aa68-7ff84884aa7d 71->80 81 7ff84884aa48-7ff84884aa4b 71->81 76 7ff84884aa27-7ff84884aa2c call 7ff848842830 74->76 76->35 87 7ff84884aa9d-7ff84884aab2 80->87 88 7ff84884aa7f-7ff84884aa98 80->88 81->4 84 7ff84884aa51-7ff84884aa63 call 7ff848842830 81->84 84->35 94 7ff84884aab4-7ff84884aacd 87->94 95 7ff84884aad2-7ff84884aae7 87->95 88->35 94->35 100 7ff84884aae9-7ff84884ab02 95->100 101 7ff84884ab07-7ff84884ab1c 95->101 100->35 107 7ff84884ab1e-7ff84884ab21 101->107 108 7ff84884ab45-7ff84884ab5a 101->108 103->4 120 7ff84884a9bb-7ff84884a9da call 7ff848848360 103->120 107->4 109 7ff84884ab27-7ff84884ab40 107->109 114 7ff84884abfa-7ff84884ac0f 108->114 115 7ff84884ab60-7ff84884abd8 108->115 109->35 121 7ff84884ac27-7ff84884ac3c 114->121 122 7ff84884ac11-7ff84884ac22 114->122 115->4 148 7ff84884abde-7ff84884abf5 115->148 120->76 134 7ff84884a9dc-7ff84884a9f8 120->134 130 7ff84884acdc-7ff84884acf1 121->130 131 7ff84884ac42-7ff84884ac5d 121->131 122->35 139 7ff84884ad09-7ff84884ad1e 130->139 140 7ff84884acf3-7ff84884ad04 130->140 134->35 146 7ff84884ad5f-7ff84884ad74 139->146 147 7ff84884ad20-7ff84884ad5a call 7ff848840ec0 call 7ff848849360 139->147 140->35 153 7ff84884ad7a-7ff84884ae16 call 7ff848840ec0 call 7ff848849360 146->153 154 7ff84884ae1b-7ff84884ae30 146->154 147->35 148->35 153->35 159 7ff84884aebe-7ff84884aed3 154->159 160 7ff84884ae36-7ff84884ae39 154->160 169 7ff84884aed5-7ff84884aee2 call 7ff848849360 159->169 170 7ff84884aee7-7ff84884aefc 159->170 162 7ff84884ae3b-7ff84884ae46 160->162 163 7ff84884aeb3-7ff84884aeb8 160->163 162->163 166 7ff84884ae48-7ff84884aeb1 call 7ff848840ec0 call 7ff848849360 162->166 172 7ff84884aeb9 163->172 166->172 169->35 181 7ff84884af3d-7ff84884af52 170->181 182 7ff84884aefe-7ff84884af38 call 7ff848840ec0 call 7ff848849360 170->182 172->35 188 7ff84884afdd-7ff84884aff2 181->188 189 7ff84884af58-7ff84884af69 181->189 182->35 198 7ff84884aff4-7ff84884aff7 188->198 199 7ff84884b032-7ff84884b047 188->199 189->4 201 7ff84884af6f-7ff84884af7f call 7ff8488405a0 189->201 198->4 202 7ff84884affd-7ff84884b02d call 7ff848840598 call 7ff8488405a8 call 7ff848842808 198->202 212 7ff84884b08d-7ff84884b0a2 199->212 213 7ff84884b049-7ff84884b088 call 7ff848849020 call 7ff848847f20 call 7ff848842810 199->213 214 7ff84884afbb-7ff84884afd8 call 7ff8488405a0 call 7ff8488405a8 call 7ff848842808 201->214 215 7ff84884af81-7ff84884afb6 call 7ff848849360 201->215 202->35 229 7ff84884b10c-7ff84884b121 212->229 230 7ff84884b0a4-7ff84884b107 call 7ff848840ec0 call 7ff848849360 212->230 213->35 214->35 215->35 229->35 250 7ff84884b127-7ff84884b241 call 7ff848848370 call 7ff848848380 call 7ff848848390 call 7ff8488483a0 call 7ff848842140 call 7ff8488483b0 call 7ff848848380 call 7ff848848390 229->250 230->35 286 7ff84884b2b2-7ff84884b2c7 call 7ff848840ec0 250->286 287 7ff84884b243-7ff84884b247 250->287 289 7ff84884b2c8-7ff84884b338 call 7ff8488405b0 call 7ff848849360 286->289 287->289 290 7ff84884b249-7ff84884b29a call 7ff8488483c0 call 7ff8488483d0 287->290 289->35 302 7ff84884b29f-7ff84884b2a8 290->302 302->286
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.4604508052.00007FF848840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848840000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff848840000_17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc260.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: afcaae2e0464c6515dc0cea222cd056a2c03ba7d2d0e80c76ad109b0c0c68d2e
                              • Instruction ID: 71500e9a44016822675146091189155aa4425d414a7ec2b43d78d0a936b99896
                              • Opcode Fuzzy Hash: afcaae2e0464c6515dc0cea222cd056a2c03ba7d2d0e80c76ad109b0c0c68d2e
                              • Instruction Fuzzy Hash: 3F726C31F1C90A8FEA94FB38845A67972D2EFD8794F5445B9D40EC7287EE2CE8428744
                              Function 00007FF848846716 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 459 7ff848846716-7ff848846723 460 7ff84884672e-7ff8488467f7 459->460 461 7ff848846725-7ff84884672d 459->461 465 7ff8488467f9-7ff848846802 460->465 466 7ff848846863 460->466 461->460 465->466 468 7ff848846804-7ff848846810 465->468 467 7ff848846865-7ff84884688a 466->467 475 7ff84884688c-7ff848846895 467->475 476 7ff8488468f6 467->476 469 7ff848846849-7ff848846861 468->469 470 7ff848846812-7ff848846824 468->470 469->467 471 7ff848846828-7ff84884683b 470->471 472 7ff848846826 470->472 471->471 474 7ff84884683d-7ff848846845 471->474 472->471 474->469 475->476 478 7ff848846897-7ff8488468a3 475->478 477 7ff8488468f8-7ff8488469a0 476->477 489 7ff848846a0e 477->489 490 7ff8488469a2-7ff8488469ac 477->490 479 7ff8488468dc-7ff8488468f4 478->479 480 7ff8488468a5-7ff8488468b7 478->480 479->477 482 7ff8488468bb-7ff8488468ce 480->482 483 7ff8488468b9 480->483 482->482 485 7ff8488468d0-7ff8488468d8 482->485 483->482 485->479 491 7ff848846a10-7ff848846a39 489->491 490->489 492 7ff8488469ae-7ff8488469bb 490->492 498 7ff848846a3b-7ff848846a46 491->498 499 7ff848846aa3 491->499 493 7ff8488469bd-7ff8488469cf 492->493 494 7ff8488469f4-7ff848846a0c 492->494 496 7ff8488469d3-7ff8488469e6 493->496 497 7ff8488469d1 493->497 494->491 496->496 500 7ff8488469e8-7ff8488469f0 496->500 497->496 498->499 501 7ff848846a48-7ff848846a56 498->501 502 7ff848846aa5-7ff848846b36 499->502 500->494 503 7ff848846a58-7ff848846a6a 501->503 504 7ff848846a8f-7ff848846aa1 501->504 510 7ff848846b3c-7ff848846b4b 502->510 505 7ff848846a6e-7ff848846a81 503->505 506 7ff848846a6c 503->506 504->502 505->505 508 7ff848846a83-7ff848846a8b 505->508 506->505 508->504 511 7ff848846b4d 510->511 512 7ff848846b53-7ff848846bb8 call 7ff848846bd4 510->512 511->512 519 7ff848846bba 512->519 520 7ff848846bbf-7ff848846bd3 512->520 519->520
                              Memory Dump Source
                              • Source File: 00000000.00000002.4604508052.00007FF848840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848840000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff848840000_17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc260.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed4be0c8c75debd8060072ef353f1242e5f86aa917e69caa42e438dbfe29a235
                              • Instruction ID: 58326ff02ff35bba981531264df61d99fbd12c9a45c865fec718eb0f7679a2d6
                              • Opcode Fuzzy Hash: ed4be0c8c75debd8060072ef353f1242e5f86aa917e69caa42e438dbfe29a235
                              • Instruction Fuzzy Hash: 4DF1B431A0CA8D8FEBA8EF28C8557E93BD1FF54750F04426EE84DC7291DB7499458B82
                              Function 00007FF8488474C2 Relevance: .5, Instructions: 460COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 521 7ff8488474c2-7ff8488474cf 522 7ff8488474da-7ff8488475a7 521->522 523 7ff8488474d1-7ff8488474d9 521->523 527 7ff8488475a9-7ff8488475b2 522->527 528 7ff848847613 522->528 523->522 527->528 529 7ff8488475b4-7ff8488475c0 527->529 530 7ff848847615-7ff84884763a 528->530 531 7ff8488475f9-7ff848847611 529->531 532 7ff8488475c2-7ff8488475d4 529->532 536 7ff84884763c-7ff848847645 530->536 537 7ff8488476a6 530->537 531->530 534 7ff8488475d8-7ff8488475eb 532->534 535 7ff8488475d6 532->535 534->534 538 7ff8488475ed-7ff8488475f5 534->538 535->534 536->537 539 7ff848847647-7ff848847653 536->539 540 7ff8488476a8-7ff8488476cd 537->540 538->531 541 7ff84884768c-7ff8488476a4 539->541 542 7ff848847655-7ff848847667 539->542 547 7ff84884773b 540->547 548 7ff8488476cf-7ff8488476d9 540->548 541->540 543 7ff84884766b-7ff84884767e 542->543 544 7ff848847669 542->544 543->543 546 7ff848847680-7ff848847688 543->546 544->543 546->541 549 7ff84884773d-7ff84884776b 547->549 548->547 550 7ff8488476db-7ff8488476e8 548->550 557 7ff8488477db 549->557 558 7ff84884776d-7ff848847778 549->558 551 7ff8488476ea-7ff8488476fc 550->551 552 7ff848847721-7ff848847739 550->552 554 7ff8488476fe 551->554 555 7ff848847700-7ff848847713 551->555 552->549 554->555 555->555 556 7ff848847715-7ff84884771d 555->556 556->552 560 7ff8488477dd-7ff8488478b5 557->560 558->557 559 7ff84884777a-7ff848847788 558->559 561 7ff84884778a-7ff84884779c 559->561 562 7ff8488477c1-7ff8488477d9 559->562 570 7ff8488478bb-7ff8488478ca 560->570 564 7ff84884779e 561->564 565 7ff8488477a0-7ff8488477b3 561->565 562->560 564->565 565->565 567 7ff8488477b5-7ff8488477bd 565->567 567->562 571 7ff8488478cc 570->571 572 7ff8488478d2-7ff848847934 call 7ff848847950 570->572 571->572 579 7ff84884793b-7ff84884794f 572->579 580 7ff848847936 572->580 580->579
                              Memory Dump Source
                              • Source File: 00000000.00000002.4604508052.00007FF848840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848840000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff848840000_17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc260.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eeb5ecd909439467dbb9496f5760fe2218a0a1681b9c9ee4ce8105f19382fa08
                              • Instruction ID: d113d7c11588eb6d8500f4acf4c3b678b28c9c71c5ddd6474afe36ab2be3c412
                              • Opcode Fuzzy Hash: eeb5ecd909439467dbb9496f5760fe2218a0a1681b9c9ee4ce8105f19382fa08
                              • Instruction Fuzzy Hash: A6E1C131A0CA8E8FEBA8EF28C8557E937D1EF54750F14426ED84DC7291DF78A8418B81
                              Function 00007FF848841BE8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 384 7ff848841be8-7ff848841bef 385 7ff848841bfa-7ff848841c6d 384->385 386 7ff848841bf1-7ff848841bf9 384->386 390 7ff848841cf9-7ff848841cfd 385->390 391 7ff848841c73-7ff848841c78 385->391 386->385 392 7ff848841c82-7ff848841cbf SetWindowsHookExW 390->392 393 7ff848841c7f-7ff848841c80 391->393 394 7ff848841cc1 392->394 395 7ff848841cc7-7ff848841cf8 392->395 393->392 394->395
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.4604508052.00007FF848840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848840000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff848840000_17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc260.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 6758a7a23dba172565a1e8867c4f1373cea547849065fa92451598ac6cd16fa2
                              • Instruction ID: fa9ddc25f400da96e8b75981ca1036db012ea94887c26581902bdedfdae261a5
                              • Opcode Fuzzy Hash: 6758a7a23dba172565a1e8867c4f1373cea547849065fa92451598ac6cd16fa2
                              • Instruction Fuzzy Hash: B5412631A1CA5D4FDB18EF6CD8466F9BBE1EF59311F00427ED009C3292DA64A852C7C5