Edit tour

Windows Analysis Report
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Overview

General Information

Sample name:	1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
Analysis ID:	1652321
MD5:	34b93b2c17fda25deeea946dbd2d6f4f
SHA1:	3f9dbac838bb4d03a7fbd5eb3bc0f80a7cdb98d0
SHA256:	3f3efdcd3b7961fb3974605017cec30b73f210f27dd96c5a3e6eb8cb3422f990
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe" MD5: 34B93B2C17FDA25DEEEA946DBD2D6F4F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{
  "C2 url": [
    "jeggawire.ddns.net"
  ],
  "Port": 1111,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe",
  "Version": "XWorm V5.0"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6377:$str01: $VB$Local_Port 0x6368:$str02: $VB$Local_Host 0x6662:$str03: get_Jpeg 0x6027:$str04: get_ServicePack 0x70de:$str05: Select * from AntivirusProduct 0x72dc:$str06: PCRestart 0x72f0:$str07: shutdown.exe /f /r /t 0 0x73a2:$str08: StopReport 0x7378:$str09: StopDDos 0x746e:$str10: sendPlugin 0x760c:$str12: -ExecutionPolicy Bypass -File " 0x7735:$str13: Content-length: 5235
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7650:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x77a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x783f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7954:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7450:$cnc4: POST / HTTP/1.1
00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe PID: 6688	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6377:$str01: $VB$Local_Port 0x6368:$str02: $VB$Local_Host 0x6662:$str03: get_Jpeg 0x6027:$str04: get_ServicePack 0x70de:$str05: Select * from AntivirusProduct 0x72dc:$str06: PCRestart 0x72f0:$str07: shutdown.exe /f /r /t 0 0x73a2:$str08: StopReport 0x7378:$str09: StopDDos 0x746e:$str10: sendPlugin 0x760c:$str12: -ExecutionPolicy Bypass -File " 0x7735:$str13: Content-length: 5235
0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7650:$cnc4: POST / HTTP/1.1

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-30T21:27:27.614600+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:33.454209+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:45.411905+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:56.303025+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:57.611640+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:07.714589+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:19.130672+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:25.416278+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:29.948778+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:41.192181+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:46.103742+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:46.343700+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:51.553513+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:52.463500+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:57.615932+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:01.962149+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:07.831686+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:08.069345+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:13.633201+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:13.866448+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:25.312378+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:25.546045+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:27.915483+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:28.253877+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:30.320411+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:31.391749+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:31.619078+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:42.953932+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:50.773589+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:55.821924+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:56.458005+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:01.097292+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:02.250302+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:02.485152+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:03.754366+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:07.397362+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:07.621090+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:12.017723+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:17.527768+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:23.092872+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:23.600877+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:27.607322+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:30.036452+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:30.868031+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:34.867804+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:35.098258+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:35.784047+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:38.923472+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:41.227771+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:41.455703+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:51.600466+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:53.177985+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:56.679169+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:56.919637+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:57.614457+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:58.189288+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:01.611659+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:02.123407+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:02.356987+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:02.585904+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:05.082344+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:06.707734+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:18.128359+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:18.877567+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:27.922988+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:30.297114+0200	2852870	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-30T21:27:33.458145+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:27:45.518653+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:27:56.320232+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:07.716815+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:08.117386+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:19.134169+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:30.610950+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:30.908317+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:41.196427+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:46.346936+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:46.643721+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:51.555880+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:52.483082+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:01.976963+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:08.069497+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:08.351763+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:14.115866+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:25.546126+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:25.773750+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:30.322001+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:31.619178+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:31.845624+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:42.955450+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:50.779612+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:55.823358+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:56.459568+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:57.914146+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:01.099420+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:02.485803+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:02.713711+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:03.788425+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:04.149687+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:07.621186+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:07.859692+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:12.019601+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:18.620878+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:23.095094+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:30.084454+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:30.871542+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:36.066657+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:38.925674+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:39.273321+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:39.635564+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:41.458152+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:41.682696+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:51.604608+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:53.180473+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:57.149316+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:58.253742+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:01.613311+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:02.585980+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:02.874121+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:03.335744+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:05.083306+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:06.746584+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:07.148152+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:18.131492+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:18.878666+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:30.298154+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-30T21:27:27.614600+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:57.611640+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:57.615932+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:27.915483+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:28.253877+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:27.607322+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:57.614457+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:27.922988+0200	2852874	1	Malware Command and Control Activity Detected	176.65.134.56	1111	192.168.2.7	49681	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-30T21:30:00.570344+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.7	49681	176.65.134.56	1111	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["jeggawire.ddns.net"], "Port": 1111, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}

Multi AV Scanner detection for submitted file

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Virustotal: Detection: 83%			Perma Link
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	ReversingLabs: Detection: 86%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 96.1%

Sample uses string decryption to hide its real strings

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	String decryptor: jeggawire.ddns.net
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	String decryptor: 1111
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	String decryptor: <123456789>
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	String decryptor: XWorm V5.0
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	String decryptor: USB.exe

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.65.134.56:1111 -> 192.168.2.7:49681
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 176.65.134.56:1111 -> 192.168.2.7:49681
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49681 -> 176.65.134.56:1111
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49681 -> 176.65.134.56:1111
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49681 -> 176.65.134.56:1111

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: jeggawire.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: jeggawire.ddns.net

Source: global traffic

TCP traffic: 192.168.2.7:49681 -> 176.65.134.56:1111

Source: Joe Sandbox View

ASN Name: DIOGELO-ASGB DIOGELO-ASGB

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: jeggawire.ddns.net

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Code function: 0_2_00007FFB9AA77622	0_2_00007FFB9AA77622
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Code function: 0_2_00007FFB9AA76876	0_2_00007FFB9AA76876
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Code function: 0_2_00007FFB9AA72400	0_2_00007FFB9AA72400

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000000.845515249.0000000000D1C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBELIVE.exe4 vs 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Binary or memory string: OriginalFilenameBELIVE.exe4 vs 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\B3fwm1leiWGbhJKV

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Virustotal: Detection: 83%
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Memory allocated: 1240000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Window / User API: threadDelayed 9600

Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe TID: 7028	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe TID: 7024	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe TID: 7024	Thread sleep count: 9600 > 30	Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3297870861.000000001C0E0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllonfi

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3295166491.0000000001363000.00000004.00000020.00020000.00000000.sdmp, 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3297870861.000000001C0EF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe PID: 6688, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe PID: 6688, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	121 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	131 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	83%	Virustotal		Browse
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	86%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe	100%	Avira	TR/Spy.Gen
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
jeggawire.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jeggawire.ddns.net	176.65.134.56	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jeggawire.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.134.56	jeggawire.ddns.net	Germany		56325	DIOGELO-ASGB	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1652321
Start date and time:	2025-03-30 21:26:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 4 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.204.23.20
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
15:27:20	API Interceptor	12906720x Sleep call for process: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIOGELO-ASGB	SZf8I0IvEg.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	176.65.134.105
	Z9dgTYzz4x.exe	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.153
	killua.x86.elf	Get hash	malicious	Unknown	Browse	176.65.134.43
	a55fee51fe469b7ed4f23ef3753b380fb548d65f40306962.pptm.ps1	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.153
	sparc.nn.elf	Get hash	malicious	Mirai	Browse	176.65.134.15
	jae1h6e218.exe	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.145
	5IY8PW2nOl.exe	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.145
	tdm.js	Get hash	malicious	Remcos	Browse	176.65.134.41
	morte.x64.elf	Get hash	malicious	Unknown	Browse	176.65.134.62
	morte.m68k.elf	Get hash	malicious	Unknown	Browse	176.65.134.62

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.599929814190145
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
File size:	36'864 bytes
MD5:	34b93b2c17fda25deeea946dbd2d6f4f
SHA1:	3f9dbac838bb4d03a7fbd5eb3bc0f80a7cdb98d0
SHA256:	3f3efdcd3b7961fb3974605017cec30b73f210f27dd96c5a3e6eb8cb3422f990
SHA512:	d68f5b4cf8e14fbbd535ccb4da90b0ac0f7b55e15ed78dc958f452134aa2f6b77790932d4da0e3ea4a645c53f86aeef99609fa045a09f1ba05d6d3803f25294b
SSDEEP:	768:WqQq3QWIdhgbvvGASaKyobFf9kqOMh53XP5:WPq3QnbOvegKyAFf9kqOMvP5
TLSH:	24F24C087B944226D5FD6FF169B371020674E613D913DB9D48E899EF2F27BC08D013AA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................^.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a55e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67E6B901 [Fri Mar 28 14:58:09 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa508	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8564	0x8600	01a8987d154e0cbb7cb23e9b5351f19f	False	0.500058302238806	data	5.735042656918437	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d8	0x600	5267dc5d563adf8d0b780ed72bc5642e	False	0.375	data	3.728205399188897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	617961a99054885bb3d98d3462521733	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xc2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
FileDescription
FileVersion	1.0.0.0
InternalName	BELIVE.exe
LegalCopyright
OriginalFilename	BELIVE.exe
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-30T21:27:27.614600+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:27.614600+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:33.217352+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:27:33.454209+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:33.458145+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:27:45.411905+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:45.518653+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:27:56.303025+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:56.320232+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:27:57.611640+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:27:57.611640+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:07.714589+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:07.716815+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:08.117386+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:19.130672+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:19.134169+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:25.416278+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:29.948778+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:30.610950+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:30.908317+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:41.192181+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:41.196427+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:46.103742+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:46.343700+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:46.346936+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:46.643721+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:51.553513+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:51.555880+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:52.463500+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:52.483082+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:28:57.615932+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:28:57.615932+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:01.962149+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:01.976963+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:07.831686+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:08.069345+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:08.069497+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:08.351763+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:13.633201+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:13.866448+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:14.115866+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:25.312378+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:25.546045+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:25.546126+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:25.773750+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:27.915483+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:27.915483+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:28.253877+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:28.253877+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:30.320411+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:30.322001+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:31.391749+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:31.619078+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:31.619178+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:31.845624+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:42.953932+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:42.955450+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:50.773589+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:50.779612+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:55.821924+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:55.823358+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:56.458005+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:29:56.459568+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:29:57.914146+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:00.570344+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:01.097292+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:01.099420+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:02.250302+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:02.485152+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:02.485803+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:02.713711+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:03.754366+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:03.788425+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:04.149687+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:07.397362+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:07.621090+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:07.621186+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:07.859692+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:12.017723+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:12.019601+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:17.527768+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:18.620878+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:23.092872+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:23.095094+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:23.600877+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:27.607322+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:27.607322+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:30.036452+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:30.084454+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:30.868031+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:30.871542+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:34.867804+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:35.098258+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:35.784047+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:36.066657+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:38.923472+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:38.925674+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:39.273321+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:39.635564+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:41.227771+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:41.455703+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:41.458152+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:41.682696+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:51.600466+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:51.604608+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:53.177985+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:53.180473+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:56.679169+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:56.919637+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:57.149316+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:30:57.614457+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:57.614457+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:58.189288+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:30:58.253742+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:01.611659+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:01.613311+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:02.123407+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:02.356987+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:02.585904+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:02.585980+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:02.874121+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:03.335744+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:05.082344+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:05.083306+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:06.707734+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:06.746584+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:07.148152+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:18.128359+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:18.131492+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:18.877567+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:18.878666+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP
2025-03-30T21:31:27.922988+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:27.922988+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:30.297114+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.65.134.56	1111	192.168.2.7	49681	TCP
2025-03-30T21:31:30.298154+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49681	176.65.134.56	1111	TCP

Network Port Distribution

Total Packets: 174
• 1111 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2025 21:27:21.392390013 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:21.631244898 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:21.631388903 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:21.803141117 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:22.085706949 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:27.614599943 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:27.664189100 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:33.217351913 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:33.454209089 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:33.458144903 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:33.740570068 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:44.633471012 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:45.148468018 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:45.383656979 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:45.411905050 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:45.460951090 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:45.518652916 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:45.803383112 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:56.065752029 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:56.303025007 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:56.320231915 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:27:56.597378016 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:57.611639977 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:27:57.664100885 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:07.477705002 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:07.714589119 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:07.716814995 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:08.117386103 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:08.351480961 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:18.898792982 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:19.130671978 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:19.134169102 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:19.415749073 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:23.570822001 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:23.960890055 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:24.193212986 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:25.416277885 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:25.418678999 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:25.804646015 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:26.034868956 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:29.430066109 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:29.714255095 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:29.714335918 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:29.948777914 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:29.951905966 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:30.586029053 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:30.592010021 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:30.610949993 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:30.908230066 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:30.908317089 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:31.210875988 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:40.945571899 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:41.192181110 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:41.196427107 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:41.471992016 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:45.867415905 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:46.103741884 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:46.103957891 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:46.343699932 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:46.346935987 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:46.636140108 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:46.643721104 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:46.932188988 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:51.320607901 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:51.553513050 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:51.555880070 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:51.832458973 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:51.914261103 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:52.384299040 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:52.463500023 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:52.483082056 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:28:52.613501072 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:52.759200096 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:57.615931988 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:28:57.663940907 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:01.415672064 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:01.773328066 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:01.962148905 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:01.976963043 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:02.006136894 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:02.256128073 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:07.284061909 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:07.632715940 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:07.831686020 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:07.831787109 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:07.864495039 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:08.069344997 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:08.069497108 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:08.351594925 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:08.351763010 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:08.633584976 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:13.398621082 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:13.633200884 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:13.633316994 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:13.866447926 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:13.866631031 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:14.112529039 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:14.115865946 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:14.348865986 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:14.350848913 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:14.628181934 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:14.631814003 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:14.912211895 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:25.086143970 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:25.312377930 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:25.312454939 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:25.546045065 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:25.546125889 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:25.773677111 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:25.773750067 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:26.049433947 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:26.051737070 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:26.507642031 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:26.735691071 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:27.915482998 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:28.101397038 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:28.253876925 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:28.253973961 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:30.086234093 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:30.320410967 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:30.322000980 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:30.598679066 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:31.164369106 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:31.391748905 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:31.391828060 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:31.619077921 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:31.619178057 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:31.845541954 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:31.845623970 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:32.117696047 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:32.118150949 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:32.397526979 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:42.726787090 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:42.953932047 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:42.955450058 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:43.237911940 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:50.539170027 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:50.773588896 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:50.779612064 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:51.056473970 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:55.585988998 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:55.821923971 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:55.823358059 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:56.110351086 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:56.226635933 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:56.458004951 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:56.459568024 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:56.737605095 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:57.492319107 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:57.771267891 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:57.911029100 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:29:57.914145947 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:29:58.214520931 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:00.570343971 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:00.960731983 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:01.097291946 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:01.099420071 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:01.181021929 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:01.418124914 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:02.012173891 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:02.250302076 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:02.253736019 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:02.485152006 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:02.485802889 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:02.711291075 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:02.713711023 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:03.116965055 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:03.346506119 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:03.517121077 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:03.754365921 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:03.788424969 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:04.149687052 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:04.375618935 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:07.164305925 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:07.397361994 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:07.397439003 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:07.621089935 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:07.621186018 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:07.859594107 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:07.859692097 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:08.143656015 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:08.147310972 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:08.430387020 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:11.789181948 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:12.017723083 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:12.019601107 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:12.310684919 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:17.304980993 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:17.527767897 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:17.527863979 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:17.913841009 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:18.069950104 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:18.070099115 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:18.139707088 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:18.139729977 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:18.139806986 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:18.139846087 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:18.404571056 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:18.617952108 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:18.620877981 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:18.904112101 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:18.904196978 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:19.199049950 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:22.851627111 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:23.092871904 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:23.095093966 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:23.363615036 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:23.363671064 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:23.600877047 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:23.601006985 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:23.832968950 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:23.833084106 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:24.064407110 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:24.064507961 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:24.291224957 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:24.293766022 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:24.565665960 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:24.574575901 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:24.848325014 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:27.607321978 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:27.648188114 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:29.492758989 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:29.851315022 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:30.036452055 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.036530018 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:30.084361076 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.084454060 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:30.266907930 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.266932011 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.320261955 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:30.364033937 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.364341021 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:30.645852089 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.646075010 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:30.868031025 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:30.871541977 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:31.153584957 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:34.633053064 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:34.867804050 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:34.867887974 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:35.098258018 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:35.098361015 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:35.327764034 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:35.327867985 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:35.559878111 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:35.560010910 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:35.784046888 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:35.784173965 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:36.066140890 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:36.066657066 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:36.346927881 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:38.695874929 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:38.923471928 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:38.925673962 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:39.273320913 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:39.635564089 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:40.351304054 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:41.227771044 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:41.228082895 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:41.455703020 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:41.458152056 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:41.679553032 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:41.682696104 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:41.950305939 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:41.950444937 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:42.304409027 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:42.534367085 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:51.055192947 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:51.398224115 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:51.600466013 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:51.604608059 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:51.876914024 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:52.949479103 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:53.177984953 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:53.180473089 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:53.456047058 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:56.445595980 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:56.679168940 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:56.679238081 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:56.919636965 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:56.919723988 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:57.149234056 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:57.149316072 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:57.379808903 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:57.383677006 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:57.614456892 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:57.621618986 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:57.945041895 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:58.188719988 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:58.189287901 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:30:58.253741980 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:30:58.536596060 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:01.058377981 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:01.446758986 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:01.611659050 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:01.613311052 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:01.679986000 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:01.893755913 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:01.893856049 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:02.123406887 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:02.123672009 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:02.356987000 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:02.357054949 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:02.585903883 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:02.585979939 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:02.873344898 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:02.874120951 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:03.335743904 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:03.566266060 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:04.852333069 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:05.082344055 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:05.083306074 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:05.362261057 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:06.477042913 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:06.707734108 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:06.746583939 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:07.148152113 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:07.373693943 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:17.898390055 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:18.128359079 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:18.131491899 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:18.407418966 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:18.648602962 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:18.877567053 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:18.878665924 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:19.158360958 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:27.922987938 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:27.976279974 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:30.070460081 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:30.297113895 CEST	1111	49681	176.65.134.56	192.168.2.7
Mar 30, 2025 21:31:30.298154116 CEST	49681	1111	192.168.2.7	176.65.134.56
Mar 30, 2025 21:31:30.587615967 CEST	1111	49681	176.65.134.56	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2025 21:27:21.232471943 CEST	57215	53	192.168.2.7	1.1.1.1
Mar 30, 2025 21:27:21.376542091 CEST	53	57215	1.1.1.1	192.168.2.7
Mar 30, 2025 21:27:59.343880892 CEST	53	49807	162.159.36.2	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 30, 2025 21:27:21.232471943 CEST	192.168.2.7	1.1.1.1	0xd90	Standard query (0)	jeggawire.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 30, 2025 21:27:21.376542091 CEST	1.1.1.1	192.168.2.7	0xd90	No error (0)	jeggawire.ddns.net		176.65.134.56	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Click to jump to process

Memory Usage

• 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exePID: 6688, Parent PID: 4088

Function Logs

General

Target ID:	0
Start time:	15:27:11
Start date:	30/03/2025
Path:	C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe"
Imagebase:	0xd10000
File size:	36'864 bytes
MD5 hash:	34B93B2C17FDA25DEEEA946DBD2D6F4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Analysis Process: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exePID: 6688, Parent PID: 4088COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FFB9AA72400 Relevance: 1.0, Instructions: 967
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1429c2d25420d12d7141d74caa600e42ac77d806a6b044d98081b2cd10820108
Instruction ID: ef12d8433232d6d6e8cce10298e134fcae3f6471e468045cb50f61798e21697f
Opcode Fuzzy Hash: 1429c2d25420d12d7141d74caa600e42ac77d806a6b044d98081b2cd10820108
Instruction Fuzzy Hash: 1E625BB4F2C51A5BEBA4FB78C8956BA72D6FF88314B5045B8D01DC32D6DE2CB8028741

Function 00007FFB9AA76876 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b56e4f5bb7746bf21b12ac3a0b37d3c47b206425b568c1c978f1b4fd567845
Instruction ID: 4cbe834c07be37a0574dc4b407472182cbd6fe80ec2d469d1e0c1136054bb046
Opcode Fuzzy Hash: c2b56e4f5bb7746bf21b12ac3a0b37d3c47b206425b568c1c978f1b4fd567845
Instruction Fuzzy Hash: 66F1A570918A4E8FEBA9DF38C8557EA77E1FF55310F04426EE84DC7291CB38A9458B81

Function 00007FFB9AA77622 Relevance: .5, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fdab3d1a886ff511df3886135b5d752581f1a766cfb27fa9e4249d9a33e212
Instruction ID: 4a0bde74d18b93a0d60b7dd671348a357c62f19956003ee74cfa97e838db901b
Opcode Fuzzy Hash: 61fdab3d1a886ff511df3886135b5d752581f1a766cfb27fa9e4249d9a33e212
Instruction Fuzzy Hash: 2BE1A370908A4E8FEBA8DF28C8557FA77D1FF54310F14426EE84DC72A1DE78A9458B81

Function 00007FFB9AA71BE8 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFB9AA71CB1

Memory Dump Source

Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 4175cd108e58bed9385042a18bd0239f0e7791804c777f615431eed4d964bfa7
Instruction ID: ceb392e3a367def1554f6cf3e93d590461c60531ff2998232f560c3a0f7bf3f8
Opcode Fuzzy Hash: 4175cd108e58bed9385042a18bd0239f0e7791804c777f615431eed4d964bfa7
Instruction Fuzzy Hash: 39310A70E1CA494FDB58EB6CD8466F977E1EF99321F00427ED009D3292CE64B85287C1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe