Edit tour

Windows Analysis Report
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe

Overview

General Information

Sample name:1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
Analysis ID:1652321
MD5:34b93b2c17fda25deeea946dbd2d6f4f
SHA1:3f9dbac838bb4d03a7fbd5eb3bc0f80a7cdb98d0
SHA256:3f3efdcd3b7961fb3974605017cec30b73f210f27dd96c5a3e6eb8cb3422f990
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
{
  "C2 url": [
    "jeggawire.ddns.net"
  ],
  "Port": 1111,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe",
  "Version": "XWorm V5.0"
}
SourceRuleDescriptionAuthorStrings
1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6377:$str01: $VB$Local_Port
    • 0x6368:$str02: $VB$Local_Host
    • 0x6662:$str03: get_Jpeg
    • 0x6027:$str04: get_ServicePack
    • 0x70de:$str05: Select * from AntivirusProduct
    • 0x72dc:$str06: PCRestart
    • 0x72f0:$str07: shutdown.exe /f /r /t 0
    • 0x73a2:$str08: StopReport
    • 0x7378:$str09: StopDDos
    • 0x746e:$str10: sendPlugin
    • 0x760c:$str12: -ExecutionPolicy Bypass -File "
    • 0x7735:$str13: Content-length: 5235
    1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x79a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7a3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7b54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7650:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x77a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x783f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7954:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7450:$cnc4: POST / HTTP/1.1
      00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe PID: 6688JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6377:$str01: $VB$Local_Port
            • 0x6368:$str02: $VB$Local_Host
            • 0x6662:$str03: get_Jpeg
            • 0x6027:$str04: get_ServicePack
            • 0x70de:$str05: Select * from AntivirusProduct
            • 0x72dc:$str06: PCRestart
            • 0x72f0:$str07: shutdown.exe /f /r /t 0
            • 0x73a2:$str08: StopReport
            • 0x7378:$str09: StopDDos
            • 0x746e:$str10: sendPlugin
            • 0x760c:$str12: -ExecutionPolicy Bypass -File "
            • 0x7735:$str13: Content-length: 5235
            0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x79a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7a3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7b54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x7650:$cnc4: POST / HTTP/1.1
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:27:27.614600+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:27:33.454209+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:27:45.411905+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:27:56.303025+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:27:57.611640+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:07.714589+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:19.130672+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:25.416278+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:29.948778+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:41.192181+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:46.103742+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:46.343700+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:51.553513+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:52.463500+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:57.615932+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:01.962149+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:07.831686+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:08.069345+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:13.633201+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:13.866448+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:25.312378+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:25.546045+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:27.915483+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:28.253877+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:30.320411+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:31.391749+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:31.619078+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:42.953932+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:50.773589+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:55.821924+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:56.458005+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:01.097292+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:02.250302+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:02.485152+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:03.754366+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:07.397362+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:07.621090+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:12.017723+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:17.527768+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:23.092872+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:23.600877+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:27.607322+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:30.036452+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:30.868031+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:34.867804+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:35.098258+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:35.784047+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:38.923472+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:41.227771+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:41.455703+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:51.600466+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:53.177985+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:56.679169+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:56.919637+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:57.614457+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:58.189288+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:01.611659+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:02.123407+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:02.356987+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:02.585904+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:05.082344+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:06.707734+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:18.128359+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:18.877567+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:27.922988+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:30.297114+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:27:33.458145+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:27:45.518653+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:27:56.320232+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:07.716815+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:08.117386+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:19.134169+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:30.610950+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:30.908317+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:41.196427+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:46.346936+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:46.643721+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:51.555880+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:28:52.483082+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:01.976963+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:08.069497+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:08.351763+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:14.115866+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:25.546126+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:25.773750+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:30.322001+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:31.619178+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:31.845624+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:42.955450+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:50.779612+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:55.823358+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:56.459568+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:29:57.914146+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:01.099420+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:02.485803+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:02.713711+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:03.788425+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:04.149687+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:07.621186+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:07.859692+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:12.019601+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:18.620878+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:23.095094+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:30.084454+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:30.871542+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:36.066657+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:38.925674+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:39.273321+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:39.635564+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:41.458152+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:41.682696+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:51.604608+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:53.180473+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:57.149316+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:30:58.253742+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:01.613311+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:02.585980+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:02.874121+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:03.335744+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:05.083306+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:06.746584+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:07.148152+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:18.131492+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:18.878666+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            2025-03-30T21:31:30.298154+020028529231Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:27:27.614600+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:27:57.611640+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:28:57.615932+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:27.915483+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:29:28.253877+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:27.607322+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:30:57.614457+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            2025-03-30T21:31:27.922988+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.749681TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:30:00.570344+020028531931Malware Command and Control Activity Detected192.168.2.749681176.65.134.561111TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeAvira: detected
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["jeggawire.ddns.net"], "Port": 1111, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeVirustotal: Detection: 83%Perma Link
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeReversingLabs: Detection: 86%
            Source: Submited SampleNeural Call Log Analysis: 96.1%
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeString decryptor: jeggawire.ddns.net
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeString decryptor: 1111
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeString decryptor: <123456789>
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeString decryptor: XWorm V5.0
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeString decryptor: USB.exe
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.65.134.56:1111 -> 192.168.2.7:49681
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 176.65.134.56:1111 -> 192.168.2.7:49681
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49681 -> 176.65.134.56:1111
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49681 -> 176.65.134.56:1111
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49681 -> 176.65.134.56:1111
            Source: Malware configuration extractorURLs: jeggawire.ddns.net
            Source: unknownDNS query: name: jeggawire.ddns.net
            Source: global trafficTCP traffic: 192.168.2.7:49681 -> 176.65.134.56:1111
            Source: Joe Sandbox ViewASN Name: DIOGELO-ASGB DIOGELO-ASGB
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: jeggawire.ddns.net
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeCode function: 0_2_00007FFB9AA776220_2_00007FFB9AA77622
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeCode function: 0_2_00007FFB9AA768760_2_00007FFB9AA76876
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeCode function: 0_2_00007FFB9AA724000_2_00007FFB9AA72400
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000000.845515249.0000000000D1C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBELIVE.exe4 vs 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeBinary or memory string: OriginalFilenameBELIVE.exe4 vs 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\B3fwm1leiWGbhJKV
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeVirustotal: Detection: 83%
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMemory allocated: 1B0C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeWindow / User API: threadDelayed 9600Jump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe TID: 7028Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe TID: 7024Thread sleep count: 254 > 30Jump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe TID: 7024Thread sleep count: 9600 > 30Jump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3297870861.000000001C0E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllonfi
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3295166491.0000000001363000.00000004.00000020.00020000.00000000.sdmp, 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3297870861.000000001C0EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe PID: 6688, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe.d10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe PID: 6688, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            1
            Input Capture
            121
            Security Software Discovery
            Remote Services1
            Input Capture
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts131
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop Protocol11
            Archive Collected Data
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account Manager131
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput Capture21
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets13
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652321 Sample: 1743362767b39ce9ae90af463b2... Startdate: 30/03/2025 Architecture: WINDOWS Score: 100 10 jeggawire.ddns.net 2->10 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 22 9 other signatures 2->22 6 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe 2 2->6         started        signatures3 20 Uses dynamic DNS services 10->20 process4 dnsIp5 12 jeggawire.ddns.net 176.65.134.56, 1111, 49681 DIOGELO-ASGB Germany 6->12 24 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->24 signatures6

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe83%VirustotalBrowse
            1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe86%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe100%AviraTR/Spy.Gen
            SAMPLE100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            jeggawire.ddns.net0%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            jeggawire.ddns.net
            176.65.134.56
            truetrue
              unknown
              NameMaliciousAntivirus DetectionReputation
              jeggawire.ddns.nettrue
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe, 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                176.65.134.56
                jeggawire.ddns.netGermany
                56325DIOGELO-ASGBtrue
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1652321
                Start date and time:2025-03-30 21:26:21 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 28s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:13
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 4
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.204.23.20
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                TimeTypeDescription
                15:27:20API Interceptor12906720x Sleep call for process: 1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe modified
                No context
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                DIOGELO-ASGBSZf8I0IvEg.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                • 176.65.134.105
                Z9dgTYzz4x.exeGet hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.153
                killua.x86.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.43
                a55fee51fe469b7ed4f23ef3753b380fb548d65f40306962.pptm.ps1Get hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.153
                sparc.nn.elfGet hashmaliciousMiraiBrowse
                • 176.65.134.15
                jae1h6e218.exeGet hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.145
                5IY8PW2nOl.exeGet hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.145
                tdm.jsGet hashmaliciousRemcosBrowse
                • 176.65.134.41
                morte.x64.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.62
                morte.m68k.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.62
                No context
                No context
                No created / dropped files found
                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.599929814190145
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
                File size:36'864 bytes
                MD5:34b93b2c17fda25deeea946dbd2d6f4f
                SHA1:3f9dbac838bb4d03a7fbd5eb3bc0f80a7cdb98d0
                SHA256:3f3efdcd3b7961fb3974605017cec30b73f210f27dd96c5a3e6eb8cb3422f990
                SHA512:d68f5b4cf8e14fbbd535ccb4da90b0ac0f7b55e15ed78dc958f452134aa2f6b77790932d4da0e3ea4a645c53f86aeef99609fa045a09f1ba05d6d3803f25294b
                SSDEEP:768:WqQq3QWIdhgbvvGASaKyobFf9kqOMh53XP5:WPq3QnbOvegKyAFf9kqOMvP5
                TLSH:24F24C087B944226D5FD6FF169B371020674E613D913DB9D48E899EF2F27BC08D013AA
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................^.... ........@.. ....................................@................................
                Icon Hash:90cececece8e8eb0
                Entrypoint:0x40a55e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x67E6B901 [Fri Mar 28 14:58:09 2025 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xa5080x53.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x85640x860001a8987d154e0cbb7cb23e9b5351f19fFalse0.500058302238806data5.735042656918437IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xc0000x4d80x6005267dc5d563adf8d0b780ed72bc5642eFalse0.375data3.728205399188897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xe0000xc0x200617961a99054885bb3d98d3462521733False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xc0a00x244data0.4724137931034483
                RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                DLLImport
                mscoree.dll_CorExeMain
                DescriptionData
                Translation0x0000 0x04b0
                FileDescription
                FileVersion1.0.0.0
                InternalNameBELIVE.exe
                LegalCopyright
                OriginalFilenameBELIVE.exe
                ProductVersion1.0.0.0
                Assembly Version1.0.0.0

                Download Network PCAP: filteredfull

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2025-03-30T21:27:27.614600+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:27:27.614600+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:27:33.217352+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:27:33.454209+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:27:33.458145+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:27:45.411905+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:27:45.518653+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:27:56.303025+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:27:56.320232+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:27:57.611640+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:27:57.611640+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:07.714589+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:07.716815+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:08.117386+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:19.130672+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:19.134169+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:25.416278+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:29.948778+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:30.610950+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:30.908317+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:41.192181+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:41.196427+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:46.103742+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:46.343700+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:46.346936+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:46.643721+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:51.553513+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:51.555880+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:52.463500+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:52.483082+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:28:57.615932+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:28:57.615932+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:01.962149+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:01.976963+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:07.831686+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:08.069345+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:08.069497+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:08.351763+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:13.633201+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:13.866448+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:14.115866+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:25.312378+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:25.546045+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:25.546126+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:25.773750+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:27.915483+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:27.915483+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:28.253877+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:28.253877+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:30.320411+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:30.322001+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:31.391749+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:31.619078+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:31.619178+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:31.845624+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:42.953932+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:42.955450+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:50.773589+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:50.779612+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:55.821924+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:55.823358+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:56.458005+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:29:56.459568+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:29:57.914146+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:00.570344+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:01.097292+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:01.099420+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:02.250302+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:02.485152+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:02.485803+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:02.713711+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:03.754366+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:03.788425+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:04.149687+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:07.397362+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:07.621090+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:07.621186+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:07.859692+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:12.017723+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:12.019601+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:17.527768+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:18.620878+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:23.092872+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:23.095094+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:23.600877+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:27.607322+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:27.607322+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:30.036452+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:30.084454+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:30.868031+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:30.871542+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:34.867804+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:35.098258+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:35.784047+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:36.066657+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:38.923472+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:38.925674+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:39.273321+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:39.635564+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:41.227771+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:41.455703+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:41.458152+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:41.682696+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:51.600466+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:51.604608+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:53.177985+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:53.180473+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:56.679169+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:56.919637+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:57.149316+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:30:57.614457+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:57.614457+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:58.189288+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:30:58.253742+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:01.611659+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:01.613311+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:02.123407+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:02.356987+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:02.585904+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:02.585980+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:02.874121+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:03.335744+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:05.082344+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:05.083306+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:06.707734+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:06.746584+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:07.148152+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:18.128359+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:18.131492+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:18.877567+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:18.878666+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                2025-03-30T21:31:27.922988+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:27.922988+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:30.297114+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.749681TCP
                2025-03-30T21:31:30.298154+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749681176.65.134.561111TCP
                • Total Packets: 174
                • 1111 undefined
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Mar 30, 2025 21:27:21.392390013 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:21.631244898 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:21.631388903 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:21.803141117 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:22.085706949 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:27.614599943 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:27.664189100 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:33.217351913 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:33.454209089 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:33.458144903 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:33.740570068 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:44.633471012 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:45.148468018 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:45.383656979 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:45.411905050 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:45.460951090 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:45.518652916 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:45.803383112 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:56.065752029 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:56.303025007 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:56.320231915 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:27:56.597378016 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:57.611639977 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:27:57.664100885 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:07.477705002 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:07.714589119 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:07.716814995 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:08.117386103 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:08.351480961 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:18.898792982 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:19.130671978 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:19.134169102 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:19.415749073 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:23.570822001 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:23.960890055 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:24.193212986 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:25.416277885 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:25.418678999 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:25.804646015 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:26.034868956 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:29.430066109 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:29.714255095 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:29.714335918 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:29.948777914 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:29.951905966 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:30.586029053 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:30.592010021 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:30.610949993 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:30.908230066 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:30.908317089 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:31.210875988 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:40.945571899 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:41.192181110 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:41.196427107 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:41.471992016 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:45.867415905 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:46.103741884 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:46.103957891 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:46.343699932 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:46.346935987 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:46.636140108 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:46.643721104 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:46.932188988 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:51.320607901 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:51.553513050 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:51.555880070 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:51.832458973 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:51.914261103 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:52.384299040 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:52.463500023 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:52.483082056 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:28:52.613501072 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:52.759200096 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:57.615931988 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:28:57.663940907 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:01.415672064 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:01.773328066 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:01.962148905 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:01.976963043 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:02.006136894 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:02.256128073 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:07.284061909 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:07.632715940 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:07.831686020 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:07.831787109 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:07.864495039 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:08.069344997 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:08.069497108 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:08.351594925 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:08.351763010 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:08.633584976 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:13.398621082 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:13.633200884 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:13.633316994 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:13.866447926 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:13.866631031 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:14.112529039 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:14.115865946 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:14.348865986 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:14.350848913 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:14.628181934 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:14.631814003 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:14.912211895 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:25.086143970 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:25.312377930 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:25.312454939 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:25.546045065 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:25.546125889 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:25.773677111 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:25.773750067 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:26.049433947 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:26.051737070 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:26.507642031 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:26.735691071 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:27.915482998 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:28.101397038 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:28.253876925 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:28.253973961 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:30.086234093 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:30.320410967 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:30.322000980 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:30.598679066 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:31.164369106 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:31.391748905 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:31.391828060 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:31.619077921 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:31.619178057 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:31.845541954 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:31.845623970 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:32.117696047 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:32.118150949 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:32.397526979 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:42.726787090 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:42.953932047 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:42.955450058 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:43.237911940 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:50.539170027 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:50.773588896 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:50.779612064 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:51.056473970 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:55.585988998 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:55.821923971 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:55.823358059 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:56.110351086 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:56.226635933 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:56.458004951 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:56.459568024 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:56.737605095 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:57.492319107 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:57.771267891 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:57.911029100 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:29:57.914145947 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:29:58.214520931 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:00.570343971 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:00.960731983 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:01.097291946 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:01.099420071 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:01.181021929 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:01.418124914 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:02.012173891 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:02.250302076 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:02.253736019 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:02.485152006 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:02.485802889 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:02.711291075 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:02.713711023 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:03.116965055 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:03.346506119 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:03.517121077 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:03.754365921 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:03.788424969 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:04.149687052 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:04.375618935 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:07.164305925 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:07.397361994 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:07.397439003 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:07.621089935 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:07.621186018 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:07.859594107 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:07.859692097 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:08.143656015 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:08.147310972 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:08.430387020 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:11.789181948 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:12.017723083 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:12.019601107 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:12.310684919 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:17.304980993 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:17.527767897 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:17.527863979 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:17.913841009 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:18.069950104 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:18.070099115 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:18.139707088 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:18.139729977 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:18.139806986 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:18.139846087 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:18.404571056 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:18.617952108 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:18.620877981 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:18.904112101 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:18.904196978 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:19.199049950 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:22.851627111 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:23.092871904 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:23.095093966 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:23.363615036 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:23.363671064 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:23.600877047 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:23.601006985 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:23.832968950 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:23.833084106 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:24.064407110 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:24.064507961 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:24.291224957 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:24.293766022 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:24.565665960 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:24.574575901 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:24.848325014 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:27.607321978 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:27.648188114 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:29.492758989 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:29.851315022 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:30.036452055 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.036530018 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:30.084361076 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.084454060 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:30.266907930 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.266932011 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.320261955 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:30.364033937 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.364341021 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:30.645852089 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.646075010 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:30.868031025 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:30.871541977 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:31.153584957 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:34.633053064 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:34.867804050 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:34.867887974 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:35.098258018 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:35.098361015 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:35.327764034 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:35.327867985 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:35.559878111 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:35.560010910 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:35.784046888 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:35.784173965 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:36.066140890 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:36.066657066 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:36.346927881 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:38.695874929 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:38.923471928 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:38.925673962 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:39.273320913 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:39.635564089 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:40.351304054 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:41.227771044 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:41.228082895 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:41.455703020 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:41.458152056 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:41.679553032 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:41.682696104 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:41.950305939 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:41.950444937 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:42.304409027 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:42.534367085 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:51.055192947 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:51.398224115 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:51.600466013 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:51.604608059 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:51.876914024 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:52.949479103 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:53.177984953 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:53.180473089 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:53.456047058 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:56.445595980 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:56.679168940 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:56.679238081 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:56.919636965 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:56.919723988 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:57.149234056 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:57.149316072 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:57.379808903 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:57.383677006 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:57.614456892 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:57.621618986 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:57.945041895 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:58.188719988 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:58.189287901 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:30:58.253741980 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:30:58.536596060 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:01.058377981 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:01.446758986 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:01.611659050 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:01.613311052 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:01.679986000 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:01.893755913 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:01.893856049 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:02.123406887 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:02.123672009 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:02.356987000 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:02.357054949 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:02.585903883 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:02.585979939 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:02.873344898 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:02.874120951 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:03.335743904 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:03.566266060 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:04.852333069 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:05.082344055 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:05.083306074 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:05.362261057 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:06.477042913 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:06.707734108 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:06.746583939 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:07.148152113 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:07.373693943 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:17.898390055 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:18.128359079 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:18.131491899 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:18.407418966 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:18.648602962 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:18.877567053 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:18.878665924 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:19.158360958 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:27.922987938 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:27.976279974 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:30.070460081 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:30.297113895 CEST111149681176.65.134.56192.168.2.7
                Mar 30, 2025 21:31:30.298154116 CEST496811111192.168.2.7176.65.134.56
                Mar 30, 2025 21:31:30.587615967 CEST111149681176.65.134.56192.168.2.7
                TimestampSource PortDest PortSource IPDest IP
                Mar 30, 2025 21:27:21.232471943 CEST5721553192.168.2.71.1.1.1
                Mar 30, 2025 21:27:21.376542091 CEST53572151.1.1.1192.168.2.7
                Mar 30, 2025 21:27:59.343880892 CEST5349807162.159.36.2192.168.2.7
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 30, 2025 21:27:21.232471943 CEST192.168.2.71.1.1.10xd90Standard query (0)jeggawire.ddns.netA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 30, 2025 21:27:21.376542091 CEST1.1.1.1192.168.2.70xd90No error (0)jeggawire.ddns.net176.65.134.56A (IP address)IN (0x0001)false
                • File
                • Registry
                • Network

                Click to dive into process behavior distribution

                Target ID:0
                Start time:15:27:11
                Start date:30/03/2025
                Path:C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exe"
                Imagebase:0xd10000
                File size:36'864 bytes
                MD5 hash:34B93B2C17FDA25DEEEA946DBD2D6F4F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.845459377.0000000000D12000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3295885287.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                Execution Graph

                Execution Coverage

                Dynamic/Packed Code Coverage

                Signature Coverage

                Execution Coverage:21.5%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:3
                Total number of Limit Nodes:0
                Show Legend
                Hide Nodes/Edges
                execution_graph 5082 7ffb9aa71be8 5084 7ffb9aa71bf1 SetWindowsHookExW 5082->5084 5085 7ffb9aa71cc1 5084->5085

                Executed Functions

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 257 7ffb9aa72400-7ffb9aa79fe0 call 7ffb9aa705d8 261 7ffb9aa79fe5-7ffb9aa7a025 257->261 265 7ffb9aa7a09b 261->265 266 7ffb9aa7a027-7ffb9aa7a044 261->266 268 7ffb9aa7a0a0-7ffb9aa7a0b5 265->268 266->268 269 7ffb9aa7a046-7ffb9aa7a096 call 7ffb9aa794c0 266->269 272 7ffb9aa7a0ce-7ffb9aa7a0e3 268->272 273 7ffb9aa7a0b7-7ffb9aa7a0c9 call 7ffb9aa705e8 268->273 290 7ffb9aa7ace6-7ffb9aa7acf4 269->290 278 7ffb9aa7a116-7ffb9aa7a12b 272->278 279 7ffb9aa7a0e5-7ffb9aa7a111 272->279 273->290 286 7ffb9aa7a13e-7ffb9aa7a153 278->286 287 7ffb9aa7a12d-7ffb9aa7a139 call 7ffb9aa77fa0 278->287 279->290 294 7ffb9aa7a199-7ffb9aa7a1ae 286->294 295 7ffb9aa7a155-7ffb9aa7a158 286->295 287->290 300 7ffb9aa7a1b0-7ffb9aa7a1b3 294->300 301 7ffb9aa7a1ef-7ffb9aa7a204 294->301 295->265 297 7ffb9aa7a15e-7ffb9aa7a169 295->297 297->265 298 7ffb9aa7a16f-7ffb9aa7a194 call 7ffb9aa705c0 call 7ffb9aa77fa0 297->298 298->290 300->265 303 7ffb9aa7a1b9-7ffb9aa7a1c4 300->303 308 7ffb9aa7a231-7ffb9aa7a246 301->308 309 7ffb9aa7a206-7ffb9aa7a209 301->309 303->265 306 7ffb9aa7a1ca-7ffb9aa7a1ea call 7ffb9aa705c0 call 7ffb9aa72450 303->306 306->290 317 7ffb9aa7a332-7ffb9aa7a347 308->317 318 7ffb9aa7a24c-7ffb9aa7a2ac call 7ffb9aa70548 308->318 309->265 312 7ffb9aa7a20f-7ffb9aa7a22c call 7ffb9aa705c0 call 7ffb9aa72458 309->312 312->290 326 7ffb9aa7a349-7ffb9aa7a34c 317->326 327 7ffb9aa7a366-7ffb9aa7a37b 317->327 318->265 358 7ffb9aa7a2b2-7ffb9aa7a2e1 318->358 326->265 330 7ffb9aa7a352-7ffb9aa7a361 call 7ffb9aa72430 326->330 334 7ffb9aa7a39d-7ffb9aa7a3b2 327->334 335 7ffb9aa7a37d-7ffb9aa7a380 327->335 330->290 343 7ffb9aa7a3d2-7ffb9aa7a3e7 334->343 344 7ffb9aa7a3b4-7ffb9aa7a3cd 334->344 335->265 338 7ffb9aa7a386-7ffb9aa7a398 call 7ffb9aa72430 335->338 338->290 349 7ffb9aa7a3e9-7ffb9aa7a402 343->349 350 7ffb9aa7a407-7ffb9aa7a41c 343->350 344->290 349->290 356 7ffb9aa7a41e-7ffb9aa7a42c 350->356 357 7ffb9aa7a43c-7ffb9aa7a451 350->357 359 7ffb9aa7a432-7ffb9aa7a437 356->359 362 7ffb9aa7a47a-7ffb9aa7a48f 357->362 363 7ffb9aa7a453-7ffb9aa7a456 357->363 359->290 367 7ffb9aa7a52f-7ffb9aa7a544 362->367 368 7ffb9aa7a495-7ffb9aa7a4b0 362->368 363->265 364 7ffb9aa7a45c-7ffb9aa7a475 363->364 364->290 373 7ffb9aa7a55c-7ffb9aa7a571 367->373 374 7ffb9aa7a546-7ffb9aa7a557 367->374 368->359 376 7ffb9aa7a4b2-7ffb9aa7a50d 368->376 380 7ffb9aa7a611-7ffb9aa7a626 373->380 381 7ffb9aa7a577-7ffb9aa7a5c6 373->381 374->290 376->265 396 7ffb9aa7a513-7ffb9aa7a52a 376->396 386 7ffb9aa7a63e-7ffb9aa7a653 380->386 387 7ffb9aa7a628-7ffb9aa7a639 380->387 406 7ffb9aa7a5e2-7ffb9aa7a5ef 381->406 407 7ffb9aa7a5c8-7ffb9aa7a5de 381->407 393 7ffb9aa7a685-7ffb9aa7a69a 386->393 394 7ffb9aa7a655-7ffb9aa7a680 call 7ffb9aa70ed0 call 7ffb9aa794c0 386->394 387->290 402 7ffb9aa7a6a0-7ffb9aa7a772 call 7ffb9aa70ed0 call 7ffb9aa794c0 393->402 403 7ffb9aa7a777-7ffb9aa7a78c 393->403 394->290 396->290 402->290 413 7ffb9aa7a792-7ffb9aa7a795 403->413 414 7ffb9aa7a853-7ffb9aa7a868 403->414 406->265 411 7ffb9aa7a5f5-7ffb9aa7a60c 406->411 407->406 411->290 417 7ffb9aa7a79b-7ffb9aa7a7a6 413->417 418 7ffb9aa7a848-7ffb9aa7a84d 413->418 424 7ffb9aa7a87c-7ffb9aa7a891 414->424 425 7ffb9aa7a86a-7ffb9aa7a877 call 7ffb9aa794c0 414->425 417->418 422 7ffb9aa7a7ac-7ffb9aa7a846 call 7ffb9aa70ed0 call 7ffb9aa794c0 417->422 430 7ffb9aa7a84e 418->430 422->430 434 7ffb9aa7a908-7ffb9aa7a91d 424->434 435 7ffb9aa7a893-7ffb9aa7a8a4 424->435 425->290 430->290 443 7ffb9aa7a91f-7ffb9aa7a922 434->443 444 7ffb9aa7a95d-7ffb9aa7a972 434->444 435->265 441 7ffb9aa7a8aa-7ffb9aa7a8ba call 7ffb9aa705b8 435->441 455 7ffb9aa7a8bc-7ffb9aa7a8e1 call 7ffb9aa794c0 441->455 456 7ffb9aa7a8e6-7ffb9aa7a903 call 7ffb9aa705b8 call 7ffb9aa705c0 call 7ffb9aa72408 441->456 443->265 447 7ffb9aa7a928-7ffb9aa7a958 call 7ffb9aa705b0 call 7ffb9aa705c0 call 7ffb9aa72408 443->447 453 7ffb9aa7a9b8-7ffb9aa7a9cd 444->453 454 7ffb9aa7a974-7ffb9aa7a9b3 call 7ffb9aa79180 call 7ffb9aa78450 call 7ffb9aa72410 444->454 447->290 472 7ffb9aa7aa6d-7ffb9aa7aa82 453->472 473 7ffb9aa7a9d3-7ffb9aa7aa68 call 7ffb9aa70ed0 call 7ffb9aa794c0 453->473 454->290 455->290 456->290 472->290 490 7ffb9aa7aa88-7ffb9aa7aa8f 472->490 473->290 494 7ffb9aa7aaa2-7ffb9aa7aade 490->494 495 7ffb9aa7aa91-7ffb9aa7aa9b call 7ffb9aa77fd0 490->495 494->290 495->494
                Memory Dump Source
                • Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1429c2d25420d12d7141d74caa600e42ac77d806a6b044d98081b2cd10820108
                • Instruction ID: ef12d8433232d6d6e8cce10298e134fcae3f6471e468045cb50f61798e21697f
                • Opcode Fuzzy Hash: 1429c2d25420d12d7141d74caa600e42ac77d806a6b044d98081b2cd10820108
                • Instruction Fuzzy Hash: 1E625BB4F2C51A5BEBA4FB78C8956BA72D6FF88314B5045B8D01DC32D6DE2CB8028741

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 521 7ffb9aa76876-7ffb9aa76883 522 7ffb9aa7688e-7ffb9aa76957 521->522 523 7ffb9aa76885-7ffb9aa7688d 521->523 527 7ffb9aa76959-7ffb9aa76962 522->527 528 7ffb9aa769c3 522->528 523->522 527->528 530 7ffb9aa76964-7ffb9aa76970 527->530 529 7ffb9aa769c5-7ffb9aa769ea 528->529 536 7ffb9aa769ec-7ffb9aa769f5 529->536 537 7ffb9aa76a56 529->537 531 7ffb9aa76972-7ffb9aa76984 530->531 532 7ffb9aa769a9-7ffb9aa769c1 530->532 534 7ffb9aa76988-7ffb9aa7699b 531->534 535 7ffb9aa76986 531->535 532->529 534->534 538 7ffb9aa7699d-7ffb9aa769a5 534->538 535->534 536->537 539 7ffb9aa769f7-7ffb9aa76a03 536->539 540 7ffb9aa76a58-7ffb9aa76b00 537->540 538->532 541 7ffb9aa76a3c-7ffb9aa76a54 539->541 542 7ffb9aa76a05-7ffb9aa76a17 539->542 551 7ffb9aa76b02-7ffb9aa76b0c 540->551 552 7ffb9aa76b6e 540->552 541->540 543 7ffb9aa76a1b-7ffb9aa76a2e 542->543 544 7ffb9aa76a19 542->544 543->543 546 7ffb9aa76a30-7ffb9aa76a38 543->546 544->543 546->541 551->552 553 7ffb9aa76b0e-7ffb9aa76b1b 551->553 554 7ffb9aa76b70-7ffb9aa76b99 552->554 555 7ffb9aa76b1d-7ffb9aa76b2f 553->555 556 7ffb9aa76b54-7ffb9aa76b6c 553->556 561 7ffb9aa76b9b-7ffb9aa76ba6 554->561 562 7ffb9aa76c03 554->562 557 7ffb9aa76b31 555->557 558 7ffb9aa76b33-7ffb9aa76b46 555->558 556->554 557->558 558->558 560 7ffb9aa76b48-7ffb9aa76b50 558->560 560->556 561->562 563 7ffb9aa76ba8-7ffb9aa76bb6 561->563 564 7ffb9aa76c05-7ffb9aa76c96 562->564 565 7ffb9aa76bef-7ffb9aa76c01 563->565 566 7ffb9aa76bb8-7ffb9aa76bca 563->566 572 7ffb9aa76c9c-7ffb9aa76cab 564->572 565->564 567 7ffb9aa76bce-7ffb9aa76be1 566->567 568 7ffb9aa76bcc 566->568 567->567 570 7ffb9aa76be3-7ffb9aa76beb 567->570 568->567 570->565 573 7ffb9aa76cad 572->573 574 7ffb9aa76cb3-7ffb9aa76d18 call 7ffb9aa76d34 572->574 573->574 581 7ffb9aa76d1f-7ffb9aa76d33 574->581 582 7ffb9aa76d1a 574->582 582->581
                Memory Dump Source
                • Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2b56e4f5bb7746bf21b12ac3a0b37d3c47b206425b568c1c978f1b4fd567845
                • Instruction ID: 4cbe834c07be37a0574dc4b407472182cbd6fe80ec2d469d1e0c1136054bb046
                • Opcode Fuzzy Hash: c2b56e4f5bb7746bf21b12ac3a0b37d3c47b206425b568c1c978f1b4fd567845
                • Instruction Fuzzy Hash: 66F1A570918A4E8FEBA9DF38C8557EA77E1FF55310F04426EE84DC7291CB38A9458B81

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 583 7ffb9aa77622-7ffb9aa7762f 584 7ffb9aa77631-7ffb9aa77639 583->584 585 7ffb9aa7763a-7ffb9aa77707 583->585 584->585 589 7ffb9aa77709-7ffb9aa77712 585->589 590 7ffb9aa77773 585->590 589->590 592 7ffb9aa77714-7ffb9aa77720 589->592 591 7ffb9aa77775-7ffb9aa7779a 590->591 599 7ffb9aa7779c-7ffb9aa777a5 591->599 600 7ffb9aa77806 591->600 593 7ffb9aa77722-7ffb9aa77734 592->593 594 7ffb9aa77759-7ffb9aa77771 592->594 596 7ffb9aa77738-7ffb9aa7774b 593->596 597 7ffb9aa77736 593->597 594->591 596->596 598 7ffb9aa7774d-7ffb9aa77755 596->598 597->596 598->594 599->600 601 7ffb9aa777a7-7ffb9aa777b3 599->601 602 7ffb9aa77808-7ffb9aa7782d 600->602 603 7ffb9aa777ec-7ffb9aa77804 601->603 604 7ffb9aa777b5-7ffb9aa777c7 601->604 608 7ffb9aa7782f-7ffb9aa77839 602->608 609 7ffb9aa7789b 602->609 603->602 606 7ffb9aa777cb-7ffb9aa777de 604->606 607 7ffb9aa777c9 604->607 606->606 610 7ffb9aa777e0-7ffb9aa777e8 606->610 607->606 608->609 611 7ffb9aa7783b-7ffb9aa77848 608->611 612 7ffb9aa7789d-7ffb9aa778cb 609->612 610->603 613 7ffb9aa77881-7ffb9aa77899 611->613 614 7ffb9aa7784a-7ffb9aa7785c 611->614 619 7ffb9aa778cd-7ffb9aa778d8 612->619 620 7ffb9aa7793b 612->620 613->612 615 7ffb9aa77860-7ffb9aa77873 614->615 616 7ffb9aa7785e 614->616 615->615 618 7ffb9aa77875-7ffb9aa7787d 615->618 616->615 618->613 619->620 622 7ffb9aa778da-7ffb9aa778e8 619->622 621 7ffb9aa7793d-7ffb9aa77a2a 620->621 633 7ffb9aa77a32-7ffb9aa77a4c 621->633 634 7ffb9aa77a2c 621->634 623 7ffb9aa77921-7ffb9aa77939 622->623 624 7ffb9aa778ea-7ffb9aa778fc 622->624 623->621 625 7ffb9aa77900-7ffb9aa77913 624->625 626 7ffb9aa778fe 624->626 625->625 628 7ffb9aa77915-7ffb9aa7791d 625->628 626->625 628->623 637 7ffb9aa77a55-7ffb9aa77a94 call 7ffb9aa77ab0 633->637 634->633 641 7ffb9aa77a9b-7ffb9aa77aaf 637->641 642 7ffb9aa77a96 637->642 642->641
                Memory Dump Source
                • Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61fdab3d1a886ff511df3886135b5d752581f1a766cfb27fa9e4249d9a33e212
                • Instruction ID: 4a0bde74d18b93a0d60b7dd671348a357c62f19956003ee74cfa97e838db901b
                • Opcode Fuzzy Hash: 61fdab3d1a886ff511df3886135b5d752581f1a766cfb27fa9e4249d9a33e212
                • Instruction Fuzzy Hash: 2BE1A370908A4E8FEBA8DF28C8557FA77D1FF54310F14426EE84DC72A1DE78A9458B81

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 105 7ffb9aa71be8-7ffb9aa71bef 106 7ffb9aa71bf1-7ffb9aa71bf9 105->106 107 7ffb9aa71bfa-7ffb9aa71c6d 105->107 106->107 111 7ffb9aa71cf9-7ffb9aa71cfd 107->111 112 7ffb9aa71c73-7ffb9aa71c78 107->112 113 7ffb9aa71c82-7ffb9aa71cbf SetWindowsHookExW 111->113 114 7ffb9aa71c7f-7ffb9aa71c80 112->114 115 7ffb9aa71cc1 113->115 116 7ffb9aa71cc7-7ffb9aa71cf8 113->116 114->113 115->116
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3298505546.00007FFB9AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB9AA70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffb9aa70000_1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd67.jbxd
                Similarity
                • API ID: HookWindows
                • String ID:
                • API String ID: 2559412058-0
                • Opcode ID: 4175cd108e58bed9385042a18bd0239f0e7791804c777f615431eed4d964bfa7
                • Instruction ID: ceb392e3a367def1554f6cf3e93d590461c60531ff2998232f560c3a0f7bf3f8
                • Opcode Fuzzy Hash: 4175cd108e58bed9385042a18bd0239f0e7791804c777f615431eed4d964bfa7
                • Instruction Fuzzy Hash: 39310A70E1CA494FDB58EB6CD8466F977E1EF99321F00427ED009D3292CE64B85287C1