Edit tour

Windows Analysis Report
XC.exe

Overview

General Information

Sample name:	XC.exe
Analysis ID:	1652214
MD5:	1d985db975f8902baac8a83b84d1e1f3
SHA1:	f065e9f9f6703f0e3f290726a9e80913f122bce4
SHA256:	de65daa216b5199e19c30b4009286ba51f340c655a629433777226727fa2855a
Tags:	exeuser-BastianHein
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

XC.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\XC.exe" MD5: 1D985DB975F8902BAAC8A83B84D1E1F3)

WerFault.exe (PID: 3148 cmdline: C:\Windows\system32\WerFault.exe -u -p 7544 -s 2268 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{
  "C2 url": [
    "functions-pressing.gl.at.ply.gg"
  ],
  "Port": 2323,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
XC.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
XC.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x524f:$str01: $VB$Local_Port 0x5240:$str02: $VB$Local_Host 0x5462:$str03: get_Jpeg 0x4f93:$str04: get_ServicePack 0x5f1a:$str05: Select * from AntivirusProduct 0x603c:$str06: PCRestart 0x6050:$str07: shutdown.exe /f /r /t 0 0x60f0:$str08: StopReport 0x60c6:$str09: StopDDos 0x6136:$str10: sendPlugin 0x6178:$str11: OfflineKeylogger Not Enabled 0x62fe:$str12: -ExecutionPolicy Bypass -File " 0x6433:$str13: Content-length: 5235
XC.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x64de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x657b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6690:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x634e:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x62de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x637b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6490:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x614e:$cnc4: POST / HTTP/1.1
Process Memory Space: XC.exe PID: 7544	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.XC.exe.a0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.XC.exe.a0000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x524f:$str01: $VB$Local_Port 0x5240:$str02: $VB$Local_Host 0x5462:$str03: get_Jpeg 0x4f93:$str04: get_ServicePack 0x5f1a:$str05: Select * from AntivirusProduct 0x603c:$str06: PCRestart 0x6050:$str07: shutdown.exe /f /r /t 0 0x60f0:$str08: StopReport 0x60c6:$str09: StopDDos 0x6136:$str10: sendPlugin 0x6178:$str11: OfflineKeylogger Not Enabled 0x62fe:$str12: -ExecutionPolicy Bypass -File " 0x6433:$str13: Content-length: 5235
0.0.XC.exe.a0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x64de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x657b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6690:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x634e:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XC.exe

Avira: detected

Antivirus detection for URL or domain

Source: functions-pressing.gl.at.ply.gg

Avira URL Cloud: Label: malware

Found malware configuration

Source: XC.exe

Malware Configuration Extractor: Xworm {"C2 url": ["functions-pressing.gl.at.ply.gg"], "Port": 2323, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: XC.exe	Virustotal: Detection: 69%			Perma Link
Source: XC.exe	ReversingLabs: Detection: 80%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.7%

Sample uses string decryption to hide its real strings

Source: XC.exe	String decryptor: functions-pressing.gl.at.ply.gg
Source: XC.exe	String decryptor: 2323
Source: XC.exe	String decryptor: <123456789>
Source: XC.exe	String decryptor: <Xwormmm>
Source: XC.exe	String decryptor: USB.exe

Source: XC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49784 version: TLS 1.2

Source: XC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B1FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdbk source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\XC.PDB source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER190D.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: .pdbsQs source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER190D.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\XC.PDB^ source: XC.exe, 00000000.00000002.2267081401.000000001B1FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B1B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B247000.00000004.00000020.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2267081401.000000001B24E000.00000004.00000020.00020000.00000000.sdmp, WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B25C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbu source: XC.exe, 00000000.00000002.2267081401.000000001B1FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER190D.tmp.dmp.12.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER190D.tmp.dmp.12.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: functions-pressing.gl.at.ply.gg

Source: global traffic

TCP traffic: 192.168.2.4:49718 -> 147.185.221.21:2323

Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 207.174.26.219 207.174.26.219
Source: Joe Sandbox View	IP Address: 147.185.221.21 147.185.221.21

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: functions-pressing.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co

Source: XC.exe, 00000000.00000002.2265293931.000000000255B000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.000000000274F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: XC.exe, 00000000.00000002.2265293931.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: XC.exe, 00000000.00000002.2265293931.000000000255B000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.0000000002545000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: XC.exe	String found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49784 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: XC.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: XC.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.XC.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.XC.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\XC.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7544 -s 2268

Source: XC.exe, 00000000.00000000.1172696624.00000000000AA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewsss.exe4 vs XC.exe
Source: XC.exe	Binary or memory string: OriginalFilenamewsss.exe4 vs XC.exe

Source: XC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XC.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: XC.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.XC.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.XC.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XC.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XC.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XC.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@2/2

Source: C:\Users\user\Desktop\XC.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\XC.exe	Mutant created: \Sessions\1\BaseNamedObjects\FnQtM2EQaXpkDYzM
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7544

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\99e88ed1-3c79-4355-af37-376eb8b2af7a

Jump to behavior

Source: XC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XC.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\XC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XC.exe	Virustotal: Detection: 69%
Source: XC.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\XC.exe

File read: C:\Users\user\Desktop\XC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\XC.exe "C:\Users\user\Desktop\XC.exe"
Source: C:\Users\user\Desktop\XC.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7544 -s 2268

Source: C:\Users\user\Desktop\XC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: XC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B1FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdbk source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\XC.PDB source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER190D.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: .pdbsQs source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER190D.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\XC.PDB^ source: XC.exe, 00000000.00000002.2267081401.000000001B1FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B1B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B247000.00000004.00000020.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2267081401.000000001B24E000.00000004.00000020.00020000.00000000.sdmp, WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: XC.exe, 00000000.00000002.2267081401.000000001B25C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbu source: XC.exe, 00000000.00000002.2267081401.000000001B1FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER190D.tmp.dmp.12.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: XC.exe, 00000000.00000002.2266917513.000000001ACA9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER190D.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER190D.tmp.dmp.12.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XC.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XC.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XC.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: XC.exe, Helper.cs	.Net Code: XMemory System.AppDomain.Load(byte[])
Source: XC.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XC.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XC.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\XC.exe	Code function: 0_2_00007FFC3D3500BD pushad ; iretd		0_2_00007FFC3D3500C1
Source: C:\Users\user\Desktop\XC.exe	Code function: 0_2_00007FFC3D3501E8 push 10BA495Dh; retf		0_2_00007FFC3D35020B

Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\XC.exe	Memory allocated: 2190000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Memory allocated: 1A3F0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598800	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598569	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598440	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597763	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596701	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596463	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596138	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596023	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595917	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595695	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595483	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595372	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: C:\Users\user\Desktop\XC.exe	Window / User API: threadDelayed 7568			Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Window / User API: threadDelayed 2262			Jump to behavior

Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 568	Thread sleep count: 7568 > 30	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 568	Thread sleep count: 2262 > 30	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -599082s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598680s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598569s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598440s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596463s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596138s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -596023s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595917s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe TID: 3952	Thread sleep time: -594219s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598800	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598569	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598440	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597763	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596701	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596463	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596138	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 596023	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595917	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595695	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595483	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595372	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: XC.exe, 00000000.00000002.2264515879.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\XC.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\XC.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

Queries volume information: C:\Users\user\Desktop\XC.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\XC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: XC.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XC.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XC.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: XC.exe, type: SAMPLE
Source: Yara match	File source: 0.0.XC.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XC.exe PID: 7544, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
XC.exe	70%	Virustotal		Browse
XC.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
XC.exe	100%	Avira	HEUR/AGEN.1305769
SAMPLE	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
functions-pressing.gl.at.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
functions-pressing.gl.at.ply.gg	147.185.221.21	true	true		unknown
i.ibb.co	207.174.26.219	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://i.ibb.co/Dwrj41N/Image.png	false		high
functions-pressing.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://upx.sf.net	Amcache.hve.12.dr	false	high
https://i.ibb.co	XC.exe, 00000000.00000002.2265293931.000000000255B000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.0000000002545000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://i.ibb.co	XC.exe, 00000000.00000002.2265293931.000000000255B000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, XC.exe, 00000000.00000002.2265293931.000000000274F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XC.exe, 00000000.00000002.2265293931.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
207.174.26.219	i.ibb.co	United States		6079	RCN-ASUS	false
147.185.221.21	functions-pressing.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1652214
Start date and time:	2025-03-30 18:00:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XC.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 23.204.23.20, 4.175.87.197, 20.190.190.132
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XC.exe, PID 7544 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:01:56	API Interceptor	2256014x Sleep call for process: XC.exe modified
12:03:42	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
207.174.26.219	FINAL -Legal Notice Presentation (1).pptx	Get hash	malicious	HTMLPhisher	Browse
	Formal Legal Notice Presentation (Approved).pptx	Get hash	malicious	HTMLPhisher	Browse
	Presentation Of Legal Notice.pptx	Get hash	malicious	HTMLPhisher	Browse
	Filled-Summons Notice (2).docx	Get hash	malicious	HTMLPhisher	Browse
	Legal_Notice _Letter.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://ossin7fot.pelosfilhos.com.br?hbyf=YW5nZWxhLm0ucm9lbGxAeGNlbGVuZXJneS5jb20=	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	25 03 2025 Legal Notice Presentation.pptx	Get hash	malicious	Unknown	Browse
	https://drive.usercontent.google.com/download?id=1D-lVkrj-b014caeCIdakZBdw2yekeEO1&export=download	Get hash	malicious	HTMLPhisher	Browse
	https://medpetroenergydmcc.com/court/	Get hash	malicious	HTMLPhisher	Browse
	Legal_Notice_Presentation.pptx	Get hash	malicious	HTMLPhisher	Browse
147.185.221.21	cfg adder_launcher.bat	Get hash	malicious	XWorm	Browse
	E.exe	Get hash	malicious	XWorm	Browse
	5PIQD_XClient.exe	Get hash	malicious	XWorm	Browse
	Zexo.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	file.exe	Get hash	malicious	Njrat	Browse
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse
	Nurcraft.exe	Get hash	malicious	XWorm	Browse
	Zvas34nq1T.exe	Get hash	malicious	XWorm	Browse
	aoKTzGQSRP.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe	Get hash	malicious	SheetRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	FINAL -Legal Notice Presentation (1).pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Formal Legal Notice Presentation (Approved).pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Presentation Of Legal Notice.pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Filled-Summons Notice (2).docx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Legal_Notice _Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	https://ossin7fot.pelosfilhos.com.br?hbyf=YW5nZWxhLm0ucm9lbGxAeGNlbGVuZXJneS5jb20=	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	207.174.26.219
	25 03 2025 Legal Notice Presentation.pptx	Get hash	malicious	Unknown	Browse	207.174.26.219
	25 03 2025 Legal Notice Presentation.pptx	Get hash	malicious	Unknown	Browse	108.181.22.211
	https://drive.usercontent.google.com/download?id=1D-lVkrj-b014caeCIdakZBdw2yekeEO1&export=download	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	https://medpetroenergydmcc.com/court/	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
functions-pressing.gl.at.ply.gg	cfg adder_launcher.bat	Get hash	malicious	XWorm	Browse	147.185.221.21
	E.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	5PIQD_XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RCN-ASUS	FINAL -Legal Notice Presentation (1).pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Formal Legal Notice Presentation (Approved).pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	k03ldc.arm.elf	Get hash	malicious	Unknown	Browse	208.59.25.232
	k03ldc.x86_64.elf	Get hash	malicious	Unknown	Browse	207.175.27.218
	Presentation Of Legal Notice.pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	core.vapvap	Get hash	malicious	Unknown	Browse	207.174.61.1
	Filled-Summons Notice (2).docx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Legal_Notice _Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	https://ossin7fot.pelosfilhos.com.br?hbyf=YW5nZWxhLm0ucm9lbGxAeGNlbGVuZXJneS5jb20=	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	207.174.26.219
	25 03 2025 Legal Notice Presentation.pptx	Get hash	malicious	Unknown	Browse	207.174.26.219
SALSGIVERUS	cfg adder_launcher.bat	Get hash	malicious	XWorm	Browse	147.185.221.21
	cheatstandoff2.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.27
	plz run.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	E.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	5PIQD_XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	CheatDownloader.exe	Get hash	malicious	Unknown	Browse	147.185.221.22
	Zexo.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	147.185.221.21
	xxrkjufx.exe	Get hash	malicious	NeptuneRAT	Browse	147.185.221.25
	Vanta Loader.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	XC.exe	Get hash	malicious	XWorm	Browse	147.185.221.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	FvkRadar Intel.exe	Get hash	malicious	XWorm	Browse	207.174.26.219
	nursultan_fix.exe	Get hash	malicious	XWorm	Browse	207.174.26.219
	AVCXw0587P.exe	Get hash	malicious	Amadey, Babadeda, Batch Injector	Browse	207.174.26.219
	JetProgram.exe	Get hash	malicious	Xmrig	Browse	207.174.26.219
	LU3J3mZT5y.exe	Get hash	malicious	LummaC Stealer	Browse	207.174.26.219
	RuntimeBroker.exe	Get hash	malicious	Unknown	Browse	207.174.26.219
	RuntimeBroker.exe	Get hash	malicious	Unknown	Browse	207.174.26.219
	climb.exe	Get hash	malicious	LummaC Stealer	Browse	207.174.26.219
	t3333-03-2825.bat	Get hash	malicious	Braodo	Browse	207.174.26.219
	66GPrIRLfp.exe	Get hash	malicious	Discord Token Stealer	Browse	207.174.26.219

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XC.exe_9d7ec26e988816188cbeedede33f64224691688_e4acab1b_0d3de102-cc8a-4d04-a0f6-023ae447f1cf\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1776289797096562
Encrypted:	false
SSDEEP:	192:yvzk9ZBz0Sthpauz8iyrelMrSzuiF7Z24lO8D:2kZGSthpaQ8iNySzuiF7Y4lO8D
MD5:	DB6330862DDE6819DAEB12E68A0F47BD
SHA1:	3EE082910A9EDA7A78782431E426AC2460242D2C
SHA-256:	2CE070D3B64BFA44A644B470CD74094D779C11ED9F8D71D310CAFE3C57E680CD
SHA-512:	DA34C8275DEF39FBD00104FAE0B8F5180E8E979E0F3EE18A958A668ED7028E978E83A12241FF3826483441FA8A2D7EEDA4083634EB6E89E753D15D183242FF46
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.7.8.2.4.2.1.7.5.5.2.3.9.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.7.8.2.4.2.1.9.4.2.7.3.8.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.3.d.e.1.0.2.-.c.c.8.a.-.4.d.0.4.-.a.0.f.6.-.0.2.3.a.e.4.4.7.f.1.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.9.e.5.8.e.d.-.e.9.0.1.-.4.5.b.a.-.a.a.4.6.-.8.5.b.a.8.5.0.e.5.f.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X.C...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.s.s.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.8.-.0.0.0.1.-.0.0.1.8.-.0.9.3.9.-.5.9.0.e.8.d.a.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.9.4.8.a.b.6.d.c.8.8.d.d.b.c.c.9.6.c.1.2.8.0.0.e.8.1.5.7.3.c.3.0.0.0.0.0.0.0.0.!.0.0.0.0.f.0.6.5.e.9.f.9.f.6.7.0.3.f.0.e.3.f.2.9.0.7.2.6.a.9.e.8.0.9.1.3.f.1.2.2.b.c.e.4.!.X.C...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER190D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Mar 30 16:03:38 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	643697
Entropy (8bit):	3.1286586788795034
Encrypted:	false
SSDEEP:	3072:Kaso8YSa5kJesgR1Wd3Pl046bP4+NMo/MvJcS1PKst3gPEY1CCqdCX03+vvoVmfS:Xso5SayeLcd3+hUhh1Sst3gsWqIX03Q
MD5:	BFEBE2A6F82C554105F68B85FB53965A
SHA1:	A8E63894CB5463AC8F4DF8D59EC235E5D2EFF957
SHA-256:	3595E42CC5FAC121026C6FCEBD9E15D6DE1942A8CFC35F11BF55515772F2B628
SHA-512:	EA70E68F625B2D5E7E0497E6532DA60EA7DF8016A1B658849FC8B3A3930831A56CE3AEE292B56A9F624E12EEA14067A599EA2CDD56D20E67C79E3D869F6FD083
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Zk.g....................................<....(...........(......4R..&...........l.......8...........T............X...y...........3...........5..............................................................................eJ......x6......Lw......................T.......x....j.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F09.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8868
Entropy (8bit):	3.699397786590489
Encrypted:	false
SSDEEP:	192:R6l7wVeJIjos6Y6k75QgmfZlgprp89bh5sfYLm:R6lXJios6Yp7+gmfLbhCfp
MD5:	A32681648F832110B16B5ED3E994ADD9
SHA1:	5D42E5A58ACBBF9F402BC78230293BD3B460333F
SHA-256:	740751C989249220440563F31D1388670607BCF65B063BEC4934816D27ED7A50
SHA-512:	6BC6C2FEDE175602D43B584B17192EF73B642D18457BA48E909EF759E8F46935D550A8B92FEF2D3B1E2FF4CFF92EEFBB65E21857EAFAF4210DB06D442D21B2B8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F97.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4731
Entropy (8bit):	4.426281523158525
Encrypted:	false
SSDEEP:	48:cvIwWl8zsTxrJg771I9M/WpW8VYVYm8M4JOUFFDyq8vb7HH30f0kd:uIjfTTI7/u7VRJFWXE8kd
MD5:	EDAEC478D14093C6588A920F5B2619B2
SHA1:	3D95938AA26873B5BDBDE3D5F32C9A0287071E8D
SHA-256:	3901BBAC16B3E928B09FC2CE3F662241CCDD0FE080BD55B9293C343354AA07FF
SHA-512:	65E1CFA64592DB39AB573292F4302E55F77B76B6A2643B71F49992EA4F4F26B3F3D43B119DE647B854C0BEEDA64B346B1353F359D24B24AAFA340A673D9B804A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="783786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468716667378662
Encrypted:	false
SSDEEP:	6144:tIXfpi67eLPU9skLmb0b4sWSPKaJG8nAgejZMMhA2gX4WABlVuNqdwBCswSbR:+XD94sWlLZMM6YFUA+R
MD5:	1D3EAABF63700275673FB894E29DD8C1
SHA1:	A9755C8A3CE3947B16CAA5BBA153BD2DD2D2EA7F
SHA-256:	6CFA836B1D3347CB6E75C72B07899680598DC9B325EF05C0A52B57D86131FE3E
SHA-512:	3B8A9823EB93FE37341C32794B0091AAC6AB2C8070F11AE5B088FAD8D0D283202F968AEB133EADED5AE38AB1FD55AF42157A0AAC5181FC68CD44B72B09126A5A
Malicious:	false
Reputation:	low
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...K............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.5991909269963696
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	XC.exe
File size:	31'232 bytes
MD5:	1d985db975f8902baac8a83b84d1e1f3
SHA1:	f065e9f9f6703f0e3f290726a9e80913f122bce4
SHA256:	de65daa216b5199e19c30b4009286ba51f340c655a629433777226727fa2855a
SHA512:	0e1a0470b5bd3b719886155843d0b6a909626076d86fea59cf2606de9646368557a1fdb7457364036841d311a99f7e26dcb044a9ce493cc061211253585391fb
SSDEEP:	384:MfoCEwCPmtt37GRuSFWLLZk5IGHTEXXQmRuptFlBLTIOZw/W2Zvn9Ikn11xOqhSq:/mtt3onGHGzQAm0FG9LlOqhSbG
TLSH:	C0E23B487BA88326DAFE1FF619B3910102749513DD13EF9E0CD595EB6B67AC046013EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.g.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x408fee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67E94FD1 [Sun Mar 30 14:06:09 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8f98	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6ff4	0x7000	48e57fcc7a721d769532d9ed033bd268	False	0.5063127790178571	data	5.762790975001924	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d0	0x600	53f15f84744d23fa155e558e92bb7031	False	0.3723958333333333	data	3.6888416911248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	91f5ae8677b733732f138811ec112cce	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x23c	data			0.4737762237762238
RT_MANIFEST	0xa2e0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
FileDescription
FileVersion	1.0.0.0
InternalName	wsss.exe
LegalCopyright
OriginalFilename	wsss.exe
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 347
• 2323 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2025 18:01:57.860748053 CEST	49718	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:01:58.867803097 CEST	49718	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:00.867813110 CEST	49718	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:03.377906084 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:03.377952099 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:03.378015995 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:03.429526091 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:03.429552078 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.667454004 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.667526960 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:04.671586990 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:04.671602964 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.671937943 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.711525917 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:04.745069027 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:04.792267084 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.867818117 CEST	49718	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:04.974126101 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.974184990 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:04.974354029 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:04.999166012 CEST	49723	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:04.999196053 CEST	443	49723	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:05.002682924 CEST	49725	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:05.002718925 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:05.004554987 CEST	49725	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:05.004579067 CEST	49725	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:05.004584074 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:06.035980940 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:06.057593107 CEST	49725	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:06.057620049 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:06.242305040 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:06.242405891 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:06.242521048 CEST	49725	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:06.270096064 CEST	49725	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:06.270138979 CEST	443	49725	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.306426048 CEST	49728	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.306480885 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.306931973 CEST	49728	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.307183027 CEST	49728	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.307200909 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.521465063 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.524028063 CEST	49728	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.524053097 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.728816986 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.728952885 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.729315996 CEST	49728	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.729345083 CEST	443	49728	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.729377985 CEST	49728	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.730539083 CEST	49729	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.730582952 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.732546091 CEST	49729	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.732678890 CEST	49729	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.732692957 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.948134899 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:08.969396114 CEST	49729	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:08.969429016 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:09.154546022 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:09.154710054 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:09.154809952 CEST	49729	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:09.158245087 CEST	49729	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:09.158289909 CEST	443	49729	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.165805101 CEST	49730	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.165853977 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.166229010 CEST	49730	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.166273117 CEST	49730	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.166279078 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.366199017 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.368042946 CEST	49730	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.368081093 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.580817938 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.580974102 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.581207991 CEST	49730	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.581422091 CEST	49730	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.581439972 CEST	443	49730	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.586138964 CEST	49732	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.586249113 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:11.590379953 CEST	49732	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.593373060 CEST	49732	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:11.593405962 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:12.488033056 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:12.512425900 CEST	49732	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:12.512451887 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:12.691482067 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:12.691544056 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:12.691617966 CEST	49732	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:12.694736958 CEST	49732	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:12.694756031 CEST	443	49732	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:12.867770910 CEST	49718	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:14.713449001 CEST	49733	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:14.713504076 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:14.713665962 CEST	49733	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:14.713897943 CEST	49733	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:14.713911057 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.364211082 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.365653992 CEST	49733	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.365677118 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.576950073 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.577009916 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.577860117 CEST	49733	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.578372002 CEST	49733	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.578391075 CEST	443	49733	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.579250097 CEST	49734	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.579286098 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.580108881 CEST	49734	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.580507994 CEST	49734	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.580518961 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.795933962 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:15.797277927 CEST	49734	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:15.797302961 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:16.332535028 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:16.332598925 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:16.332643986 CEST	49734	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:16.333503962 CEST	49734	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:16.333523035 CEST	443	49734	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:18.339454889 CEST	49735	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:18.339513063 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:18.339579105 CEST	49735	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:18.340183973 CEST	49735	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:18.340195894 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:18.552344084 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:18.561306000 CEST	49735	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:18.561338902 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:18.981596947 CEST	49736	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:19.124986887 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.125057936 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.125164986 CEST	49735	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.125389099 CEST	49735	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.125405073 CEST	443	49735	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.126255035 CEST	49737	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.126296043 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.126368999 CEST	49737	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.126626015 CEST	49737	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.126637936 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.339421988 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.340796947 CEST	49737	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.340821028 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.546248913 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.546312094 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.546559095 CEST	49737	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.546821117 CEST	49737	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:19.546842098 CEST	443	49737	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:19.994240046 CEST	49736	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:21.623845100 CEST	49738	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:21.623884916 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:21.623963118 CEST	49738	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:21.624214888 CEST	49738	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:21.624232054 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:21.834939003 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:21.838557005 CEST	49738	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:21.838582993 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:21.992803097 CEST	49736	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:22.042001009 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:22.042133093 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:22.042184114 CEST	49738	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:22.042445898 CEST	49738	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:22.042469025 CEST	443	49738	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:22.043509007 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:22.043550968 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:22.043622017 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:22.043840885 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:22.043859005 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:22.930242062 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:22.931834936 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:22.931858063 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:23.141793013 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:23.141851902 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:23.142324924 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:23.142324924 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:23.446232080 CEST	49739	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:23.446259975 CEST	443	49739	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:25.149966955 CEST	49740	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:25.149997950 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:25.150079012 CEST	49740	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:25.150311947 CEST	49740	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:25.150325060 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:25.994239092 CEST	49736	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:26.908786058 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:26.909950972 CEST	49740	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:26.909986973 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.471182108 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.471268892 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.471328974 CEST	49740	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:27.471599102 CEST	49740	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:27.471618891 CEST	443	49740	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.472564936 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:27.472604036 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.472703934 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:27.472897053 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:27.472908020 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.683048964 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:27.684696913 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:27.684708118 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:28.107691050 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:28.107812881 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:28.110608101 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:28.110608101 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:28.414912939 CEST	49741	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:28.414962053 CEST	443	49741	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.119122982 CEST	49742	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.119172096 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.119283915 CEST	49742	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.119574070 CEST	49742	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.119587898 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.337604046 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.339158058 CEST	49742	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.339195013 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.892802000 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.892944098 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.893022060 CEST	49742	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.893347025 CEST	49742	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.893368006 CEST	443	49742	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.894340038 CEST	49743	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.894376040 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:30.894480944 CEST	49743	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.894758940 CEST	49743	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:30.894773006 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:31.114685059 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:31.116061926 CEST	49743	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:31.116085052 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:31.321872950 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:31.322009087 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:31.322269917 CEST	49743	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:31.322463989 CEST	49743	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:31.322484970 CEST	443	49743	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:33.337822914 CEST	49744	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:33.337924957 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:33.338064909 CEST	49744	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:33.338288069 CEST	49744	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:33.338318110 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:33.992902040 CEST	49736	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:35.092570066 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.093813896 CEST	49744	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.093852043 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.294451952 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.294612885 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.294671059 CEST	49744	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.294887066 CEST	49744	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.294905901 CEST	443	49744	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.295717001 CEST	49745	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.295763969 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.295851946 CEST	49745	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.296133041 CEST	49745	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.296149015 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.511395931 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.512860060 CEST	49745	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.512882948 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.717708111 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.717780113 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:35.717859983 CEST	49745	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.718226910 CEST	49745	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:35.718245029 CEST	443	49745	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:37.731789112 CEST	49747	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:37.731832981 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:37.731935024 CEST	49747	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:37.732141972 CEST	49747	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:37.732151031 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.378863096 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.380606890 CEST	49747	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:38.380634069 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.912638903 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.912714005 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.912822962 CEST	49747	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:38.913224936 CEST	49747	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:38.913243055 CEST	443	49747	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.914187908 CEST	49748	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:38.914218903 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:38.914355993 CEST	49748	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:38.914570093 CEST	49748	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:38.914582014 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:39.557708025 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:39.559215069 CEST	49748	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:39.559274912 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:39.777228117 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:39.777295113 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:39.777477026 CEST	49748	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:39.777836084 CEST	49748	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:39.777874947 CEST	443	49748	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:41.791851997 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:41.791924000 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:41.791991949 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:41.792582035 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:41.792603016 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.013917923 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.015275002 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.015351057 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.587476015 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.587552071 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.588165045 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.588165045 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.589148998 CEST	49750	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.589205980 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.589536905 CEST	49750	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.589536905 CEST	49750	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.589572906 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.803914070 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.805285931 CEST	49750	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.805319071 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:42.899142027 CEST	49749	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:42.899178982 CEST	443	49749	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:43.006221056 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:43.006280899 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:43.006465912 CEST	49750	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:43.008281946 CEST	49750	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:43.008306026 CEST	443	49750	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:44.249473095 CEST	49751	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:45.009650946 CEST	49752	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.009710073 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.009805918 CEST	49752	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.010066032 CEST	49752	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.010083914 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.226012945 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.227848053 CEST	49752	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.227876902 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.258496046 CEST	49751	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:45.437536001 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.437602043 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.437663078 CEST	49752	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.438256979 CEST	49752	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.438282967 CEST	443	49752	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.439692020 CEST	49753	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.439733028 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.439822912 CEST	49753	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.440033913 CEST	49753	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.440043926 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.654840946 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:45.656296015 CEST	49753	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:45.656320095 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:46.197817087 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:46.197875023 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:46.198064089 CEST	49753	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:46.198292017 CEST	49753	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:46.198309898 CEST	443	49753	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:47.258477926 CEST	49751	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:48.229116917 CEST	49754	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.229159117 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.229244947 CEST	49754	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.229486942 CEST	49754	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.229500055 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.447395086 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.456065893 CEST	49754	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.456088066 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.668545961 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.668607950 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.668648005 CEST	49754	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.668979883 CEST	49754	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.668997049 CEST	443	49754	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.669898033 CEST	49755	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.669946909 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.670023918 CEST	49755	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.670317888 CEST	49755	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.670331001 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.880742073 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:48.882126093 CEST	49755	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:48.882160902 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:49.084063053 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:49.084129095 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:49.086342096 CEST	49755	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:49.086918116 CEST	49755	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:49.086941957 CEST	443	49755	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.255306959 CEST	49756	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.255357027 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.255423069 CEST	49756	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.255846977 CEST	49756	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.255856991 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.274045944 CEST	49751	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:02:51.462295055 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.463639975 CEST	49756	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.463685036 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.672055006 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.672131062 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.672180891 CEST	49756	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.672456980 CEST	49756	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.672477007 CEST	443	49756	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.673492908 CEST	49757	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.673531055 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:51.673604965 CEST	49757	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.673907042 CEST	49757	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:51.673919916 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:53.316576004 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:53.317951918 CEST	49757	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:53.317971945 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:53.524561882 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:53.524621964 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:53.524666071 CEST	49757	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:53.524991035 CEST	49757	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:53.525011063 CEST	443	49757	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.541379929 CEST	49758	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.541496038 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.541667938 CEST	49758	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.542012930 CEST	49758	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.542042971 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.755772114 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.757539034 CEST	49758	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.757565975 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.971395969 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.971457005 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.971507072 CEST	49758	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.972095013 CEST	49758	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.972115040 CEST	443	49758	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.973376036 CEST	49759	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.973417997 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:55.973498106 CEST	49759	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.973818064 CEST	49759	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:55.973829031 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:56.938483000 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:56.939752102 CEST	49759	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:56.939784050 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:57.153872967 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:57.153927088 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:57.154038906 CEST	49759	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:57.154418945 CEST	49759	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:57.154447079 CEST	443	49759	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:59.165875912 CEST	49760	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:59.165932894 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:59.168463945 CEST	49760	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:59.168819904 CEST	49760	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:02:59.168833017 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:02:59.274101973 CEST	49751	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:00.414608002 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:00.415898085 CEST	49760	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:00.415925026 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:00.995311022 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:00.995373011 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:00.995457888 CEST	49760	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:00.996124029 CEST	49760	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:00.996145010 CEST	443	49760	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:00.997150898 CEST	49761	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:00.997189999 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:00.997292995 CEST	49761	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:00.997575045 CEST	49761	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:00.997602940 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:04.359181881 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:04.361079931 CEST	49761	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:04.361109018 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:04.767391920 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:04.767553091 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:04.767631054 CEST	49761	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:04.768032074 CEST	49761	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:04.768047094 CEST	443	49761	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:05.402548075 CEST	49762	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:06.414654970 CEST	49762	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:06.780492067 CEST	49763	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:06.780531883 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:06.780607939 CEST	49763	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:06.781198025 CEST	49763	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:06.781219006 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.030066013 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.038220882 CEST	49763	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:08.038254976 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.254240036 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.254314899 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.254354954 CEST	49763	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:08.255676031 CEST	49763	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:08.255695105 CEST	443	49763	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.256810904 CEST	49764	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:08.256844044 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.256902933 CEST	49764	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:08.257163048 CEST	49764	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:08.257175922 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:08.414659023 CEST	49762	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:09.494908094 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:09.496115923 CEST	49764	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:09.496143103 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:09.710910082 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:09.711076975 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:09.711433887 CEST	49764	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:09.711555958 CEST	49764	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:09.711586952 CEST	443	49764	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:11.728315115 CEST	49765	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:11.728395939 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:11.732589960 CEST	49765	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:11.732696056 CEST	49765	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:11.732716084 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:11.942291975 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:11.950217009 CEST	49765	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:11.950243950 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:12.155510902 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:12.155570984 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:12.155615091 CEST	49765	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:12.155926943 CEST	49765	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:12.155945063 CEST	443	49765	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:12.157077074 CEST	49766	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:12.157119036 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:12.157203913 CEST	49766	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:12.157459021 CEST	49766	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:12.157474041 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:12.414650917 CEST	49762	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:13.408461094 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:13.409823895 CEST	49766	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:13.409845114 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:14.006788969 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:14.006849051 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:14.007065058 CEST	49766	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:14.010248899 CEST	49766	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:14.010278940 CEST	443	49766	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:15.888689041 CEST	49767	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:15.888758898 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:15.888866901 CEST	49767	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:15.894303083 CEST	49767	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:15.894320011 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.107579947 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.108809948 CEST	49767	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.108849049 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.318607092 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.318696022 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.318744898 CEST	49767	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.319228888 CEST	49767	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.319247007 CEST	443	49767	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.320401907 CEST	49768	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.320488930 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.320569038 CEST	49768	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.320861101 CEST	49768	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.320899010 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.538373947 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.540031910 CEST	49768	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.540082932 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.754456997 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.754545927 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:16.754587889 CEST	49768	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.754867077 CEST	49768	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:16.754884005 CEST	443	49768	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:18.537580013 CEST	49769	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:18.537626982 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:18.537700891 CEST	49769	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:18.538072109 CEST	49769	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:18.538089037 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:18.752091885 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:18.758977890 CEST	49769	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:18.759001970 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:19.641450882 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:19.641510963 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:19.641591072 CEST	49769	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:19.641999006 CEST	49769	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:19.642040014 CEST	443	49769	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:19.643009901 CEST	49770	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:19.643059015 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:19.643208027 CEST	49770	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:19.643502951 CEST	49770	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:19.643522024 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:20.414668083 CEST	49762	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:20.885814905 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:20.887136936 CEST	49770	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:20.887166977 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:21.096788883 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:21.096925020 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:21.097022057 CEST	49770	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:21.097385883 CEST	49770	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:21.097405910 CEST	443	49770	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:22.728408098 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:22.728473902 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:22.728549004 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:22.728797913 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:22.728815079 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:22.938498974 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:22.940309048 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:22.940351009 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:23.146414995 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:23.146486044 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:23.146934986 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:23.146934986 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:23.149200916 CEST	49772	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:23.149245977 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:23.152403116 CEST	49772	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:23.158201933 CEST	49772	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:23.158230066 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:23.464214087 CEST	49771	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:23.464262962 CEST	443	49771	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:24.986368895 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:24.988188982 CEST	49772	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:24.988220930 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:25.196526051 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:25.196597099 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:25.196852922 CEST	49772	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:25.200313091 CEST	49772	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:25.200334072 CEST	443	49772	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:26.728624105 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:26.728667021 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:26.728728056 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:26.729043007 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:26.729060888 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:26.939352036 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:26.940851927 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:26.940881968 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.148777008 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.148849964 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.153480053 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.153480053 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.156491995 CEST	49774	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.156543016 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.160717964 CEST	49774	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.165486097 CEST	49774	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.165507078 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.376173019 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.380311966 CEST	49774	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.380367041 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.464303017 CEST	49773	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.464348078 CEST	443	49773	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.904109001 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.904247046 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:27.904423952 CEST	49774	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.904616117 CEST	49774	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:27.904654980 CEST	443	49774	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:29.325556993 CEST	49775	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:29.325612068 CEST	443	49775	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:29.327817917 CEST	49775	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:29.328296900 CEST	49775	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:29.328313112 CEST	443	49775	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:29.405406952 CEST	49775	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:29.448276043 CEST	443	49775	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:29.540899038 CEST	443	49775	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:29.541088104 CEST	443	49775	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:29.545628071 CEST	49775	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:29.545628071 CEST	49775	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:30.076205969 CEST	49776	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:30.759526014 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:30.759571075 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:30.759716988 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:30.760068893 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:30.760082006 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:30.959673882 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:30.959817886 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:30.961741924 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:30.961755991 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:30.962007999 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:30.962907076 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.008269072 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:31.150193930 CEST	49776	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:31.204178095 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:31.204232931 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:31.205518007 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.205518007 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.206248045 CEST	49778	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.206290007 CEST	443	49778	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:31.210509062 CEST	49778	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.210510015 CEST	49778	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.210550070 CEST	443	49778	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:31.528872967 CEST	49777	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:31.528898001 CEST	443	49777	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:32.431520939 CEST	443	49778	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:32.481899977 CEST	49778	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:32.482223034 CEST	443	49778	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:32.482285976 CEST	49778	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:33.149163961 CEST	49776	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:33.728290081 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:33.728327990 CEST	443	49779	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:33.728512049 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:33.728781939 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:33.728791952 CEST	443	49779	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:34.595357895 CEST	443	49779	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:34.595470905 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:34.597138882 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:34.597146034 CEST	443	49779	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:34.597964048 CEST	443	49779	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:34.599344015 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:34.599417925 CEST	443	49779	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:34.599493980 CEST	49779	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:35.801574945 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:35.801615000 CEST	443	49780	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:35.801692009 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:35.802871943 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:35.802881956 CEST	443	49780	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:36.017417908 CEST	443	49780	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:36.017487049 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:36.101753950 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:36.101771116 CEST	443	49780	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:36.102804899 CEST	443	49780	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:36.104888916 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:36.104974031 CEST	443	49780	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:36.105046988 CEST	49780	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.181807995 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.181900978 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.181999922 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.182296038 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.182329893 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.242799044 CEST	49776	2323	192.168.2.4	147.185.221.21
Mar 30, 2025 18:03:37.393366098 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.393449068 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.395277977 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.395286083 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.395518064 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.397022009 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.397047997 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.397161961 CEST	443	49781	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:37.397182941 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:37.397208929 CEST	49781	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.601737976 CEST	49784	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.601850033 CEST	443	49784	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:43.602018118 CEST	49784	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.602370024 CEST	49784	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.602401018 CEST	443	49784	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:43.824807882 CEST	443	49784	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:43.824884892 CEST	49784	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.826939106 CEST	49784	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.826952934 CEST	443	49784	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:43.827267885 CEST	443	49784	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:43.828939915 CEST	49784	443	192.168.2.4	207.174.26.219
Mar 30, 2025 18:03:43.828994989 CEST	443	49784	207.174.26.219	192.168.2.4
Mar 30, 2025 18:03:43.829090118 CEST	49784	443	192.168.2.4	207.174.26.219

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2025 18:01:57.749797106 CEST	56280	53	192.168.2.4	1.1.1.1
Mar 30, 2025 18:01:57.853878975 CEST	53	56280	1.1.1.1	192.168.2.4
Mar 30, 2025 18:02:03.243520975 CEST	57578	53	192.168.2.4	1.1.1.1
Mar 30, 2025 18:02:03.346901894 CEST	53	57578	1.1.1.1	192.168.2.4
Mar 30, 2025 18:02:37.071497917 CEST	53	58847	162.159.36.2	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 30, 2025 18:01:57.749797106 CEST	192.168.2.4	1.1.1.1	0xe0c9	Standard query (0)	functions-pressing.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Mar 30, 2025 18:02:03.243520975 CEST	192.168.2.4	1.1.1.1	0xe833	Standard query (0)	i.ibb.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 30, 2025 18:01:57.853878975 CEST	1.1.1.1	192.168.2.4	0xe0c9	No error (0)	functions-pressing.gl.at.ply.gg		147.185.221.21	A (IP address)	IN (0x0001)	false
Mar 30, 2025 18:02:03.346901894 CEST	1.1.1.1	192.168.2.4	0xe833	No error (0)	i.ibb.co		207.174.26.219	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

i.ibb.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49723	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:04 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49725	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:06 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49728	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:08 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49729	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:08 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49730	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:11 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49732	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:12 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49733	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:15 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49734	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:15 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49735	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:18 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49737	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:19 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49738	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:21 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49739	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:22 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49740	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:26 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49741	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:27 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49742	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:30 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49743	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:31 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49744	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:35 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49745	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:35 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49747	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:38 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49748	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:39 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49749	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:42 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49750	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:42 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49752	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:45 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49753	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:45 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49754	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:48 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49755	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:48 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49756	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:51 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49757	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:53 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49758	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:55 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49759	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:02:56 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49760	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:00 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49761	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:04 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49763	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:08 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49764	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:09 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49765	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:11 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49766	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:13 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49767	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:16 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49768	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:16 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49769	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:18 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49770	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:20 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49771	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:22 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49772	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:24 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49773	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:26 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49774	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:27 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49777	207.174.26.219	443	7544	C:\Users\user\Desktop\XC.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-30 16:03:30 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Statistics

CPU Usage

• XC.exe
• WerFault.exe

Click to jump to process

Memory Usage

• XC.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: XC.exePID: 7544, Parent PID: 3964

Function Logs

General

Target ID:	0
Start time:	12:01:54
Start date:	30/03/2025
Path:	C:\Users\user\Desktop\XC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\XC.exe"
Imagebase:	0xa0000
File size:	31'232 bytes
MD5 hash:	1D985DB975F8902BAAC8A83B84D1E1F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1172680759.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Volume Information Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

COM Activities

COM Object Queried

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread APC Queued

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3148, Parent PID: 7544

Function Logs

General

Target ID:	12
Start time:	12:03:37
Start date:	30/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7544 -s 2268
Imagebase:	0x7ff7f2040000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Suspended

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: XC.exePID: 7544, Parent PID: 3964COMMON

Executed Functions

Function 00007FFC3D3514D5 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

h_$=, xrefs: 00007FFC3D351552

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID: h_$=
API String ID: 0-297190602
Opcode ID: 6ad109528c7849225f2d0339bc4ce952316bb7146ade4467109f48d52306a7fd
Instruction ID: 699e79a415c60d90771662897a9b8119d9755ebbf2d79901eab00ff0b7fa19d2
Opcode Fuzzy Hash: 6ad109528c7849225f2d0339bc4ce952316bb7146ade4467109f48d52306a7fd
Instruction Fuzzy Hash: C8813B31A1896D4FD798EB6888592B9B7F2FFD8351F04027AE00EC3292EE35AC05C751

Function 00007FFC3D352683 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

Px$=, xrefs: 00007FFC3D3526C5

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID: Px$=
API String ID: 0-422266081
Opcode ID: dee0decbf2e8b6c4d4beb36de9df383fb86513fd837bba0c18737d0f3230fad8
Instruction ID: 956eb53f09c3c961fd0274bfaf49415b2ad8816ec855b23a1cdebbe5ad599df7
Opcode Fuzzy Hash: dee0decbf2e8b6c4d4beb36de9df383fb86513fd837bba0c18737d0f3230fad8
Instruction Fuzzy Hash: 3661377190C65E8FD758DBA898456B8BBF1EF95361F0441BED00CC3193EB39A846C7A1

Function 00007FFC3D350915 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd2f76c62695a5bc10b13cd7480ba5f5cabc77121cf0afa9edf5478e321b63f
Instruction ID: b42dd264891e11804768eff0f6e520a6d594338aa386ad54a60ccce69cffa74e
Opcode Fuzzy Hash: 0bd2f76c62695a5bc10b13cd7480ba5f5cabc77121cf0afa9edf5478e321b63f
Instruction Fuzzy Hash: 13612661B2C9AE4FEBA4E77894291F97BE2FF88250B4005B9D04EC31D7ED295D11C391

Function 00007FFC3D351B6A Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08d4dd4a5ea818f924478270d6d931d4c3c0f99fd4d986451f424b334b42117
Instruction ID: 645301f724d129ba30c88ca17d283ef76d5a88d83e1b6cdb2445b345c45b6289
Opcode Fuzzy Hash: e08d4dd4a5ea818f924478270d6d931d4c3c0f99fd4d986451f424b334b42117
Instruction Fuzzy Hash: B0514871B1896E4FEBA8E72C80592B8B7E2EFD8390B440579C00ED32D6ED395C06C750

Function 00007FFC3D3517E9 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb2cca4aec0c2b99c73a690e395fca601e1451b486ef91c405048a6ab358d5f
Instruction ID: 6324095fe7f1dc90dfe107e85b472f60ca09bfd88745a124c566d29676cbb65f
Opcode Fuzzy Hash: 9bb2cca4aec0c2b99c73a690e395fca601e1451b486ef91c405048a6ab358d5f
Instruction Fuzzy Hash: EC5113B050D69D8FDB9ADB689864AB8BFF0FF52311B0401BFD049C7192DB389845CB52

Function 00007FFC3D350F9E Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6446abee4b99a87f606d5841dec9ad94ff57d48be957751c71ff5cb91db77edb
Instruction ID: b3556c08c93a19578fb0f98afa08bc043f6b66e3a7fa56fd7519d325c5b4ce19
Opcode Fuzzy Hash: 6446abee4b99a87f606d5841dec9ad94ff57d48be957751c71ff5cb91db77edb
Instruction Fuzzy Hash: BB513C21B1DAAE0FE7A6A37858565757FE2EFC6210B0900FAD44DC7193EC1D9C46C362

Function 00007FFC3D3506FD Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e352764e900fb6c698ffe03fcc19df82f81fff6c7f71ac910c18444f8713cc67
Instruction ID: 01e32dfccfe5654c04ecde5d67301a4ebb7c81b5c1dd608a12ae1140056ed0f1
Opcode Fuzzy Hash: e352764e900fb6c698ffe03fcc19df82f81fff6c7f71ac910c18444f8713cc67
Instruction Fuzzy Hash: DC51D070A0892D8FDBA8EB68D455AF97BF0FF95311F00017EE04EC3292DA35A845CB61

Function 00007FFC3D350B89 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f92d5c9f98336f4d6c032227664ee7ad567516fe5c00d271ecb2dacfbe12a7
Instruction ID: 7789cee93e93cd5f98de0d2603879b61284a79e3b36e1be805cc3a9e1b1b1087
Opcode Fuzzy Hash: c0f92d5c9f98336f4d6c032227664ee7ad567516fe5c00d271ecb2dacfbe12a7
Instruction Fuzzy Hash: 23410720B1C99D4FEB94E76C5859275BBD2EF9A315B0801BEE04DC32A3ED589C02C351

Function 00007FFC3D350748 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0f43dc4931d8f26c69b4cb3d80e22ca39893499f21add4b116037f371b9f13
Instruction ID: 4bffd67b2bfb1d3925c94b49b9aba19dc4cf3e1bdbcccb03b981441ee73b5132
Opcode Fuzzy Hash: fd0f43dc4931d8f26c69b4cb3d80e22ca39893499f21add4b116037f371b9f13
Instruction Fuzzy Hash: B5419DB4A18A1C8FDBA8EF58D459AB9BBF1FB95311F00016ED00ED3292DA75A841CB51

Function 00007FFC3D3504C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e421e13dd7a8a92f5f159472b4053024960604cdbc1fda0ce1e6c705a98e78c
Instruction ID: 5b8ae2a259e6b19cbe93c85760e04556c93bd132b46df38f44732de51b4877e3
Opcode Fuzzy Hash: 3e421e13dd7a8a92f5f159472b4053024960604cdbc1fda0ce1e6c705a98e78c
Instruction Fuzzy Hash: 7D31B321B1895D4FEB98EB2C945A279BBD2EB9D315F0505BEE00EC32E3ED699C01C351

Function 00007FFC3D350CF1 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c3103fef7363ac91e9461b55d3843eeb2df68b51fe5c724c41c3663b8ec9aa
Instruction ID: 1698fc598d1bf5499f7221cc9de464a5553904240acc5defd9c9abc8e46c3ca4
Opcode Fuzzy Hash: a5c3103fef7363ac91e9461b55d3843eeb2df68b51fe5c724c41c3663b8ec9aa
Instruction Fuzzy Hash: 7141DF74A1865E8FDB90E7A894656FDBBF2EF88310F500579D00DC3287EE39A845C761

Function 00007FFC3D350E39 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c645855c395c0559da3085908749969016f508f75c6b7c9232fb8d99301defb
Instruction ID: 9386fbc5d47e6b6bb1f46c7d77a256b5dab462928103406289baf53aebe244f6
Opcode Fuzzy Hash: 1c645855c395c0559da3085908749969016f508f75c6b7c9232fb8d99301defb
Instruction Fuzzy Hash: 9531D611B1895E4FEB94F7A898593BDBBE2EF94380F1442B6E40DC3293ED289C41C761

Function 00007FFC3D351A64 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f3d13d7b3fe887f13fdba40b7140e974e744983b269646776a772eb25d1c3c
Instruction ID: 6ccdad870bd224efdd1036ae7c0af37ad0ca3071728e45712f2a78f513ff4881
Opcode Fuzzy Hash: 19f3d13d7b3fe887f13fdba40b7140e974e744983b269646776a772eb25d1c3c
Instruction Fuzzy Hash: 8731E36181D6CA1FE757837418162A5BFB1DF532A0F1802EAD095C71E7E96D184AC372

Function 00007FFC3D3512E1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdc7571c8db082fe86828ba4b61a5ed6c4601d9a32f62d65b820196b532a81d
Instruction ID: 2371dddc8fcf2ffb62cafa5c14046da1108adb56b37e8818de3120334889d8c7
Opcode Fuzzy Hash: acdc7571c8db082fe86828ba4b61a5ed6c4601d9a32f62d65b820196b532a81d
Instruction Fuzzy Hash: B711D610D2D2AE0BE3A6A6B448611B97FB25FC2390F4404B5D048CA5C3FD3D9C5AD372

Function 00007FFC3D35139D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a870c28dd794cbaa0d89a9ccdff08834df9eabeae89d9c99969d9fba6f4c37b6
Instruction ID: 46e50ccb1e36cd8f6e91b75dc7450c556bf6fd9cf62f28d84d18e1277e490ca2
Opcode Fuzzy Hash: a870c28dd794cbaa0d89a9ccdff08834df9eabeae89d9c99969d9fba6f4c37b6
Instruction Fuzzy Hash: 271123F091859D8FD798CF28A4B92B97FF2EBD9200F0441BFC40DD3A96DA7518058711

Function 00007FFC3D3506F8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be8c6f1689c1f4acc74443b0d5d46cf7bd8ea8e9b59bf075a8bb044f40aab59
Instruction ID: 6afcc7acb568600cd41f137e04ab9799c31cd61b07f768d10f546a26d16beaa3
Opcode Fuzzy Hash: 8be8c6f1689c1f4acc74443b0d5d46cf7bd8ea8e9b59bf075a8bb044f40aab59
Instruction Fuzzy Hash: C201B5A1E2895E4BEBA4D76854193BA79F6FB98350F900139E00EC32D3ED691C06C666

Function 00007FFC3D351451 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3430d1691e1ffa1da91552192739746d3ae535a693b190b7a144d8db8d15fe98
Instruction ID: 9fafd4f8a2513b6c5ee9c63a1e0df05ad6cee0602b00697e9c7c792a93aeb5a3
Opcode Fuzzy Hash: 3430d1691e1ffa1da91552192739746d3ae535a693b190b7a144d8db8d15fe98
Instruction Fuzzy Hash: BFF0A250E1D5AE4FF794A2B404562B87AE2AF94280F4000B9D04DC71C7FD2D5C56C361

Function 00007FFC3D35179D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce27e157a21792421a3c3974e16503867058fd3025ccd5ee48d505082cd5435
Instruction ID: 81e1cfe8dc7c2adb0f8bb707d1ccc980f038f3a5fbe6bc9fc58d15d0a6b103a2
Opcode Fuzzy Hash: 5ce27e157a21792421a3c3974e16503867058fd3025ccd5ee48d505082cd5435
Instruction Fuzzy Hash: C6E0653110C55C5FD754BA659C096EB3B68FBD1335F00126EF44EC3142E5266132C7A1

Function 00007FFC3D351348 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0f3d1d0773ce599457a18ea3e5a2628f60855636f5e1e895891376def14335
Instruction ID: ce42cf5b921572c23488f28228d509bd9e34c2b758dd1af5f842388a0242c2b9
Opcode Fuzzy Hash: 0e0f3d1d0773ce599457a18ea3e5a2628f60855636f5e1e895891376def14335
Instruction Fuzzy Hash: 22F0AD7092C82E4AE3A4EBA4C0602B8B7B3ABD13A0F500934C01DC65C1FE38AC59D6A0

Function 00007FFC3D3512A4 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375ddc3850bfae6dd8eefa56bd326102a1b4424021f6b7315bbf57b275fc1193
Instruction ID: 1508b0c7befacfb3d1b7277ab9f7851119b64fcb5aee2be983685c5f29c9f6e0
Opcode Fuzzy Hash: 375ddc3850bfae6dd8eefa56bd326102a1b4424021f6b7315bbf57b275fc1193
Instruction Fuzzy Hash: 5AD0C200C1D2CA0BE34B26B40C424D0BF618E831E0B4902D1D480C60D3E85D289ED372

Function 00007FFC3D351161 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2267953628.00007FFC3D350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3d350000_XC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7019fbb0a3a85a3b56b759e7d741595490c6a78cde8f22acfa0f8d22890a40
Instruction ID: 3c514e17eec7334e34b08651e1132b76e73e4652468de4e0aae6e54cd1ce8f53
Opcode Fuzzy Hash: bf7019fbb0a3a85a3b56b759e7d741595490c6a78cde8f22acfa0f8d22890a40
Instruction Fuzzy Hash: 9EE02B31C2934E4FDB916B5058131EA7730FF40200F800597F40CC6052EF39A6148793

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XC.exe_9d7ec26e988816188cbeedede33f64224691688_e4acab1b_0d3de102-cc8a-4d04-a0f6-023ae447f1cf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER190D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F09.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F97.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Windows Analysis Report
XC.exe