Edit tour

Windows Analysis Report
cake.exe

Overview

General Information

Sample name:	cake.exe
Analysis ID:	1518520
MD5:	d64c3a1236eed6ba90305dcb38f92f6c
SHA1:	9d239b7f28e6dbd96b2a1a8484747874664aaa8b
SHA256:	18dc423099be030506353e6b26762f2c789f22e79991192f4fae3e290afacc07
Tags:	exeuser-Piist
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

cake.exe (PID: 5144 cmdline: "C:\Users\user\Desktop\cake.exe" MD5: D64C3A1236EED6BA90305DCB38F92F6C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
cake.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
cake.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x691a:$cnc4: POST / HTTP/1.1
Process Memory Space: cake.exe PID: 5144	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.cake.exe.70000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.cake.exe.70000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T19:15:53.508270+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49714	163.5.112.71	50000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cake.exe

Avira: detected

Found malware configuration

Source: cake.exe

Malware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: cake.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: cake.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: cake.exe	String decryptor: vecotr.viewdns.net
Source: cake.exe	String decryptor: 50000
Source: cake.exe	String decryptor: <123456789>
Source: cake.exe	String decryptor: <Xwormmm>
Source: cake.exe	String decryptor: XWorm V5.6
Source: cake.exe	String decryptor: USB.exe

Source: cake.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cake.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 163.5.112.71:50000
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49714 -> 163.5.112.71:50000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: vecotr.viewdns.net

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 163.5.112.71:50000

Source: Joe Sandbox View

ASN Name: EPITECHFR EPITECHFR

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: vecotr.viewdns.net

Source: cake.exe, 00000000.00000002.4537232348.0000000002211000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: cake.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.cake.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\cake.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\cake.exe	Code function: 0_2_00007FF848E75D76		0_2_00007FF848E75D76
Source: C:\Users\user\Desktop\cake.exe	Code function: 0_2_00007FF848E76B22		0_2_00007FF848E76B22

Source: cake.exe, 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs cake.exe
Source: cake.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs cake.exe

Source: cake.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cake.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.cake.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: cake.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cake.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cake.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@4/1

Source: C:\Users\user\Desktop\cake.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\cake.exe	Mutant created: \Sessions\1\BaseNamedObjects\FxwhhRft8tFCNpWd

Source: cake.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cake.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\cake.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cake.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\cake.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\cake.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: cake.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cake.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: cake.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: cake.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: cake.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: cake.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: cake.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\cake.exe

Code function: 0_2_00007FF848E700BD pushad ; iretd

0_2_00007FF848E700C1

Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\cake.exe	Memory allocated: 8C0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Memory allocated: 1A210000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\cake.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\cake.exe	Window / User API: threadDelayed 9289			Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	Window / User API: threadDelayed 554			Jump to behavior

Source: C:\Users\user\Desktop\cake.exe TID: 6584	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe TID: 6196	Thread sleep count: 9289 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe TID: 6196	Thread sleep count: 554 > 30	Jump to behavior

Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cake.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cake.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: cake.exe, 00000000.00000002.4536673250.00000000004CC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\cake.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\cake.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: cake.exe, 00000000.00000002.4537232348.0000000002255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: cake.exe, 00000000.00000002.4537232348.0000000002255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cake.exe, 00000000.00000002.4537232348.0000000002255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: cake.exe, 00000000.00000002.4537232348.0000000002255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: cake.exe, 00000000.00000002.4537232348.0000000002255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\cake.exe

Queries volume information: C:\Users\user\Desktop\cake.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\cake.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: cake.exe, 00000000.00000002.4536673250.0000000000406000.00000004.00000020.00020000.00000000.sdmp, cake.exe, 00000000.00000002.4536673250.000000000040C000.00000004.00000020.00020000.00000000.sdmp, cake.exe, 00000000.00000002.4538708370.000000001B0F3000.00000004.00000020.00020000.00000000.sdmp, cake.exe, 00000000.00000002.4536673250.000000000046E000.00000004.00000020.00020000.00000000.sdmp, cake.exe, 00000000.00000002.4538708370.000000001B0C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\cake.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: cake.exe, type: SAMPLE
Source: Yara match	File source: 0.0.cake.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cake.exe PID: 5144, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: cake.exe, type: SAMPLE
Source: Yara match	File source: 0.0.cake.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cake.exe PID: 5144, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
cake.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
cake.exe	100%	Avira	HEUR/AGEN.1305769
cake.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
vecotr.viewdns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vecotr.viewdns.net	163.5.112.71	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
vecotr.viewdns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cake.exe, 00000000.00000002.4537232348.0000000002211000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
163.5.112.71	vecotr.viewdns.net	France		56339	EPITECHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518520
Start date and time:	2024-09-25 19:13:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cake.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@4/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 44 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target cake.exe, PID 5144 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: cake.exe

Simulations

Behavior and APIs

Time	Type	Description
13:14:06	API Interceptor	14287016x Sleep call for process: cake.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
vecotr.viewdns.net	LUYYSwStKN.ps1	Get hash	malicious	XWorm	Browse	191.96.207.180
	84Z63SyEQ7.ps1	Get hash	malicious	PureLog Stealer, XWorm	Browse	191.96.207.180
	XClient.exe	Get hash	malicious	XWorm	Browse	191.96.207.180
	GvJxEfWyS1.ps1	Get hash	malicious	PureLog Stealer, XWorm	Browse	191.96.207.180
	7lFbTUxX9m.ps1	Get hash	malicious	PureLog Stealer, XWorm	Browse	191.96.207.180
	XeI2N4WyGz.ps1	Get hash	malicious	XWorm	Browse	191.96.207.180
	lzsVg6vGuu.ps1	Get hash	malicious	PureLog Stealer, XWorm	Browse	191.96.207.180
	payload_1.vbs	Get hash	malicious	XWorm	Browse	191.96.207.180
	Commitment_for_Title_Insurance-660184790411.wsf	Get hash	malicious	XWorm	Browse	191.96.207.180

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EPITECHFR	https://247-dapprectify.pages.dev/wallet/index.html	Get hash	malicious	Unknown	Browse	163.5.194.32
	http://solanadappsmainnet.pages.dev/	Get hash	malicious	Unknown	Browse	163.5.194.34
	https://247-dapprectify.pages.dev/wallet/wallet/inputs.html	Get hash	malicious	Unknown	Browse	163.5.194.33
	https://247-dapprectify.pages.dev/wallet/index.html	Get hash	malicious	Unknown	Browse	163.5.194.32
	https://secure.rpcthai.com/	Get hash	malicious	Unknown	Browse	163.5.194.36
	SecuriteInfo.com.Linux.Siggen.9999.6095.9527.elf	Get hash	malicious	Mirai	Browse	163.5.176.66
	https://multichainfix.pages.dev/chunks/patterns	Get hash	malicious	Unknown	Browse	163.5.194.35
	https://sucursal-virtual123.w3spaces.com/	Get hash	malicious	Unknown	Browse	163.5.194.37
	400000.RegSvcs.exe	Get hash	malicious	AsyncRAT	Browse	163.5.160.233
	xde1wui2zjw.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	163.5.160.233

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.59506560425833
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	cake.exe
File size:	33'280 bytes
MD5:	d64c3a1236eed6ba90305dcb38f92f6c
SHA1:	9d239b7f28e6dbd96b2a1a8484747874664aaa8b
SHA256:	18dc423099be030506353e6b26762f2c789f22e79991192f4fae3e290afacc07
SHA512:	526e7fd2e97e41a9bde5dc6bb06014b2f59c9a6d8338526d1f31dee4df32793ab0448aa13be2baa77d6e059c27fdd5c9d728745e5a4ec41c524eb3382c176931
SSDEEP:	384:mlRmhGD91SluSWhnHHxzLmYV3Tm2eaFOzlzRApkFTBLTsOZwpGd2v99IkuisFVFE:GRPD9OQhx/BV3Tw4OlzVFE9jcOjhfbH
TLSH:	53E23B4877E44712DAFEAFB12DF261061271D51BD823EF9E0CE485EA2B67AC047407E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.f.................x............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40979e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66DF4DB3 [Mon Sep 9 19:34:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9744	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x77a4	0x7800	ac61a5122f8cbfa991fc259cf079a73a	False	0.5017903645833334	data	5.74573214807577	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	fbad57bc563b9a0d7654c19529129cc5	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T19:14:18.618659+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	163.5.112.71	50000	TCP
2024-09-25T19:15:53.508270+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49714	163.5.112.71	50000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 19:14:07.672586918 CEST	49704	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:07.677644014 CEST	50000	49704	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:07.677747011 CEST	49704	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:08.119388103 CEST	49704	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:08.124471903 CEST	50000	49704	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:18.618659019 CEST	49704	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:18.623768091 CEST	50000	49704	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:29.076006889 CEST	50000	49704	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:29.076200008 CEST	49704	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:30.424199104 CEST	49704	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:30.426044941 CEST	49710	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:30.530380011 CEST	50000	49704	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:30.530401945 CEST	50000	49710	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:30.530503988 CEST	49710	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:30.556523085 CEST	49710	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:30.561373949 CEST	50000	49710	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:45.559494019 CEST	49710	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:45.564825058 CEST	50000	49710	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:51.904378891 CEST	50000	49710	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:51.904638052 CEST	49710	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:53.486768961 CEST	49710	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:53.487966061 CEST	49711	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:53.491813898 CEST	50000	49710	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:53.493079901 CEST	50000	49711	163.5.112.71	192.168.2.5
Sep 25, 2024 19:14:53.493171930 CEST	49711	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:53.516880989 CEST	49711	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:14:53.521812916 CEST	50000	49711	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:07.143255949 CEST	49711	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:07.159614086 CEST	50000	49711	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:14.922636032 CEST	50000	49711	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:14.922729969 CEST	49711	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:16.020163059 CEST	49711	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:16.025468111 CEST	50000	49711	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:16.044150114 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:16.049067974 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:16.052253008 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:16.152153015 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:16.157015085 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:16.440031052 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:16.445061922 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:25.127818108 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:25.132790089 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:32.008224010 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:32.013319016 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:34.580785990 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:34.586849928 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:35.613131046 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:35.618964911 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:37.112195015 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:37.117244959 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:37.143162966 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:37.148269892 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:37.159060001 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:37.163855076 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:37.237097979 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:37.242582083 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:37.436630964 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:37.439879894 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:42.252510071 CEST	49713	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:42.256216049 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:42.257544041 CEST	50000	49713	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:42.261229038 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:42.262319088 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:42.312846899 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:42.318279982 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:49.127775908 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:49.133260965 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:15:53.508270025 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:15:53.514394999 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:01.503618956 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:01.508878946 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:02.536303043 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:02.542298079 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:03.620367050 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:03.624376059 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:07.549362898 CEST	49714	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:07.556313992 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:07.558341980 CEST	50000	49714	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:07.565573931 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:07.565699100 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:07.640424013 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:07.649120092 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:08.580710888 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:08.588184118 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:13.471513987 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:13.476922989 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:13.502599001 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:13.507491112 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:24.565315962 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:24.675677061 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:26.549530983 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:26.554940939 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:28.918421030 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:28.918507099 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.131331921 CEST	49715	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.137763023 CEST	50000	49715	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:29.169574022 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.175153017 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:29.175225973 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.218096018 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.231468916 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:29.424542904 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.429461002 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:29.440184116 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.445049047 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:29.455648899 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.472929001 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:29.472971916 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:29.480777979 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:34.520478964 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:34.525482893 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:36.908910990 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:36.913826942 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:45.127733946 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:45.132725000 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:45.143260002 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:45.149116039 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:45.174401999 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:45.179281950 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:45.299618959 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:45.304764986 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:45.315192938 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:45.320008993 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:48.831162930 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:49.223527908 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:49.533642054 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:49.923738003 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:49.923752069 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:49.923762083 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.487026930 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.492089033 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.587055922 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.590863943 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.591023922 CEST	49716	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.592591047 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.596995115 CEST	50000	49716	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.597680092 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.597795963 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.647026062 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.651838064 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.815212965 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.820156097 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.846414089 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.851639032 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:50.971487045 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:50.976387978 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:51.018485069 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:51.023421049 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:51.049571991 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:51.054589987 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:51.080854893 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:51.088169098 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:51.096477032 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:51.103965998 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:16:56.158900023 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:16:56.163757086 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:04.506799936 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:04.513052940 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:04.783931017 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:04.788889885 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:06.877823114 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:06.883980989 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:06.893292904 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:06.898147106 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:06.909009933 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:06.914021969 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:11.950186968 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:11.952562094 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:12.052472115 CEST	49717	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:12.052472115 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:12.057658911 CEST	50000	49717	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:12.057712078 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:12.057823896 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:12.212306976 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:12.217698097 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.065478086 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.071702957 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.080835104 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.085647106 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.096405983 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.101502895 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.111980915 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.116780996 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.127671957 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.132441998 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.158871889 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.165436983 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.174489975 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.179282904 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.190146923 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.195008039 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.205750942 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.210515022 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.221420050 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.226452112 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.236984968 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.242137909 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.268362045 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.273344994 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.283864975 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.288810015 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.299541950 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.304455996 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.331819057 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.336585999 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.346457005 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.351288080 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.393327951 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.398278952 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.408931017 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.414135933 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.424519062 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.429830074 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:23.440114021 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:23.444974899 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:24.018593073 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:24.023504972 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:28.705843925 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:28.711216927 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:33.456316948 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:33.456401110 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:33.784531116 CEST	49718	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:33.789335966 CEST	50000	49718	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:33.797195911 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:33.801970005 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:33.804627895 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:33.996563911 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:34.003257990 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:34.737200022 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:34.742202997 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:39.018661022 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:39.252480984 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:39.564976931 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:40.169893980 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:40.169920921 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:40.170764923 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:42.676635027 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:42.682077885 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:49.455892086 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:49.510932922 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:49.510991096 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:49.574717999 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:49.581100941 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:49.661588907 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:49.661649942 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:49.764144897 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:49.768584013 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:49.859024048 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:51.670387030 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:51.710078955 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:54.924604893 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:54.941534996 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:54.971498966 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:54.979126930 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:55.080997944 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:55.091487885 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:55.096519947 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:17:55.105089903 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:55.217787981 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:17:55.217848063 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:00.096548080 CEST	49719	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:00.100625038 CEST	49720	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:00.266916037 CEST	50000	49719	163.5.112.71	192.168.2.5
Sep 25, 2024 19:18:00.266963959 CEST	50000	49720	163.5.112.71	192.168.2.5
Sep 25, 2024 19:18:00.267168999 CEST	49720	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:00.370608091 CEST	49720	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:00.375559092 CEST	50000	49720	163.5.112.71	192.168.2.5
Sep 25, 2024 19:18:09.831361055 CEST	49720	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:09.984220982 CEST	50000	49720	163.5.112.71	192.168.2.5
Sep 25, 2024 19:18:10.816623926 CEST	49720	50000	192.168.2.5	163.5.112.71
Sep 25, 2024 19:18:10.821846962 CEST	50000	49720	163.5.112.71	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 19:14:07.640628099 CEST	57915	53	192.168.2.5	1.1.1.1
Sep 25, 2024 19:14:07.650729895 CEST	53	57915	1.1.1.1	192.168.2.5
Sep 25, 2024 19:15:16.024151087 CEST	57275	53	192.168.2.5	1.1.1.1
Sep 25, 2024 19:15:16.036556959 CEST	53	57275	1.1.1.1	192.168.2.5
Sep 25, 2024 19:16:29.132929087 CEST	61017	53	192.168.2.5	1.1.1.1
Sep 25, 2024 19:16:29.143603086 CEST	53	61017	1.1.1.1	192.168.2.5
Sep 25, 2024 19:17:33.786405087 CEST	55749	53	192.168.2.5	1.1.1.1
Sep 25, 2024 19:17:33.795753002 CEST	53	55749	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 19:14:07.640628099 CEST	192.168.2.5	1.1.1.1	0x88e4	Standard query (0)	vecotr.viewdns.net	A (IP address)	IN (0x0001)	false
Sep 25, 2024 19:15:16.024151087 CEST	192.168.2.5	1.1.1.1	0xd660	Standard query (0)	vecotr.viewdns.net	A (IP address)	IN (0x0001)	false
Sep 25, 2024 19:16:29.132929087 CEST	192.168.2.5	1.1.1.1	0x7af2	Standard query (0)	vecotr.viewdns.net	A (IP address)	IN (0x0001)	false
Sep 25, 2024 19:17:33.786405087 CEST	192.168.2.5	1.1.1.1	0x87dd	Standard query (0)	vecotr.viewdns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 19:14:07.650729895 CEST	1.1.1.1	192.168.2.5	0x88e4	No error (0)	vecotr.viewdns.net	163.5.112.71	A (IP address)	IN (0x0001)	false
Sep 25, 2024 19:15:16.036556959 CEST	1.1.1.1	192.168.2.5	0xd660	No error (0)	vecotr.viewdns.net	163.5.112.71	A (IP address)	IN (0x0001)	false
Sep 25, 2024 19:16:29.143603086 CEST	1.1.1.1	192.168.2.5	0x7af2	No error (0)	vecotr.viewdns.net	163.5.112.71	A (IP address)	IN (0x0001)	false
Sep 25, 2024 19:17:33.795753002 CEST	1.1.1.1	192.168.2.5	0x87dd	No error (0)	vecotr.viewdns.net	163.5.112.71	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:14:02
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\cake.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\cake.exe"
Imagebase:	0x70000
File size:	33'280 bytes
MD5 hash:	D64C3A1236EED6BA90305DCB38F92F6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2068525061.0000000000072000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF848E75D76 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fcf46a138e1bd29206d0de74029a2204deb3db0a04ecbb8657cee097fe0dd7
Instruction ID: cd45c73551c57b4f936339a5c2d8b319c181ef6ca5c6104ce6050e81ef710981
Opcode Fuzzy Hash: 80fcf46a138e1bd29206d0de74029a2204deb3db0a04ecbb8657cee097fe0dd7
Instruction Fuzzy Hash: 59F1953090CA8E8FEBA8EF28C8557E937E1FF55350F04426EE84DC7295DB34A9458B81

Function 00007FF848E76B22 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9388417b207e17912422bf1e9c6311b11cf4b2762d151da3c0eb90471d5e8a03
Instruction ID: a3ee0ae8805229a06ad532dd42d88e7bf6b4b17589e553372d21787fca2754f4
Opcode Fuzzy Hash: 9388417b207e17912422bf1e9c6311b11cf4b2762d151da3c0eb90471d5e8a03
Instruction Fuzzy Hash: BDE1A43090CA8D8FEBA8EF28C8557E977D1FF54350F14426AD84DC72A5DF7499448B81

Function 00007FF848E7845E Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

eH, xrefs: 00007FF848E786C3

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID: eH
API String ID: 0-1998315119
Opcode ID: 90ec852996764753d80d07e33e15e4ad258766d911148bca1a5ed755c09c77fb
Instruction ID: d30b37602d2c3a9eb92b6c1ae5950235ea36f0ef40fc99cfa242e46bdf9c94f1
Opcode Fuzzy Hash: 90ec852996764753d80d07e33e15e4ad258766d911148bca1a5ed755c09c77fb
Instruction Fuzzy Hash: 70812471E0D95A5FE748FB3884552A8B7D1FF64390F4802B9D01DC3196DF38A8478399

Function 00007FF848E77CE1 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848E77D53

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7a1e18e1c83a0448b82cd802839579ff2061c7622dd2ccdadc2062ab4cd4ad38
Instruction ID: 506a9473a9c3ad214a06a9b55053004fd7807a028914deb9a7e99044d8192320
Opcode Fuzzy Hash: 7a1e18e1c83a0448b82cd802839579ff2061c7622dd2ccdadc2062ab4cd4ad38
Instruction Fuzzy Hash: CD21C231C0C29A4FEB05ABB48C496F9BBE0FF9A350F0501BAD549D3192DF3C58458795

Function 00007FF848E70718 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfdda535db0a74cd75c535ef182f169654c565a6404bfb5b7889b7eb426dd8c
Instruction ID: fbc1c20b20b4eeacbae75bd7af6185931e6e02dfa2091490ca642f2e78852c73
Opcode Fuzzy Hash: acfdda535db0a74cd75c535ef182f169654c565a6404bfb5b7889b7eb426dd8c
Instruction Fuzzy Hash: AFA10461E1C9495FE7A8AB2C54596BD6BD2FF98790F1805B9D00FC32C7DE286C028785

Function 00007FF848E721C4 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2187a7512fb94eea635e72a7abab0b68e8b1874d45e3c6f35e1ad593c880310b
Instruction ID: dd522d9775e9367ba74afc4f6334c687fa468ae7b963d49b7d5f9265d051692a
Opcode Fuzzy Hash: 2187a7512fb94eea635e72a7abab0b68e8b1874d45e3c6f35e1ad593c880310b
Instruction Fuzzy Hash: 6BA12661F1C98A4FE798AB2C54193B96BD2FF99790F5805B9D04FC72C7DE28AC028345

Function 00007FF848E76736 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ac298acf2a857980976e13d795eb7e0fa595e5fb07c93c62f346131f49fbb5
Instruction ID: 81f0a7d4bf1fce70415452f605aaefb56bd64f855dfc288cdb0e705bae98899b
Opcode Fuzzy Hash: 35ac298acf2a857980976e13d795eb7e0fa595e5fb07c93c62f346131f49fbb5
Instruction Fuzzy Hash: 77B1C63050CA8D8FEB99EF28C8557E93BE1FF55350F04426AE84DC7292DB349945CB86

Function 00007FF848E721FD Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3465e10073b8fe7a0c71c9794407bf8dbf5560e2d09b887a655e4ebd2e357f
Instruction ID: 4fcf449c4ece9b3ce08ec2d86362125c8fbb0f81bbf25c51bf01a69e58d395e4
Opcode Fuzzy Hash: 2b3465e10073b8fe7a0c71c9794407bf8dbf5560e2d09b887a655e4ebd2e357f
Instruction Fuzzy Hash: B4A13661F1CA894FE7A8AB3C54192B96BD2FF99790F0805B9D00FC32C7DE286C028345

Function 00007FF848E725F5 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014b0c51465d48d92c8c384e9af88a0f31269b0d3f372fd72c3569e039d87131
Instruction ID: 4f912e41dc04e36594bbbfff9f5c82b59e927e0f1bf3153cfaefe9d62cdefa5f
Opcode Fuzzy Hash: 014b0c51465d48d92c8c384e9af88a0f31269b0d3f372fd72c3569e039d87131
Instruction Fuzzy Hash: 9EA1B16075DD49AFE788B7AC945577AF2D3FF98340F284176E009C36D7CE28A8018B66

Function 00007FF848E77523 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383a05b97abe31f2117345c8959ab107e3f876ca7bbd9ed0e979df7e80867fcc
Instruction ID: a805206fe22d5598506d4d7f662e0b5d38b3bbf0e6163dd64d11b08fe34c6dfd
Opcode Fuzzy Hash: 383a05b97abe31f2117345c8959ab107e3f876ca7bbd9ed0e979df7e80867fcc
Instruction Fuzzy Hash: 4111E022A1CA9D0FE742FB6C68295B97BA1FB96651B0802F7D448C7192DE141C054392

Function 00007FF848E77DCD Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d1d5352bb476d7e7976e9ff426488e7b6ceba31638130c3de4f8e54ebbc316
Instruction ID: c66e339aad420d565d8de565caba101b26bf4f388fb72f6f6594b2b8b8f8f0e6
Opcode Fuzzy Hash: 09d1d5352bb476d7e7976e9ff426488e7b6ceba31638130c3de4f8e54ebbc316
Instruction Fuzzy Hash: 81516F70908A1C8FDB98EF68D845BEDBBF1FF99311F14426AD44DD3252DB34A8468B81

Function 00007FF848E70925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5bdc4c20ed9d5382813348bdb549fff82972d84435a5639da9598337f01610
Instruction ID: 78271e228f4c3f8e516ae695b49f828f5ddb4892215d6a7efb93ea69249e9da9
Opcode Fuzzy Hash: ff5bdc4c20ed9d5382813348bdb549fff82972d84435a5639da9598337f01610
Instruction Fuzzy Hash: 7651E421F1D94A5FDB98FB7854695BD7BD2FF88350F8404B9E00EC32CADE28A9018754

Function 00007FF848E7897D Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0727c38ce98a7b355ea489398dd0dae3a0d371bce2a0ee44d57c7c8f31d6776b
Instruction ID: 02334b243cd729b4c485bc67110d414936cfa9290801962071608923dbd48b80
Opcode Fuzzy Hash: 0727c38ce98a7b355ea489398dd0dae3a0d371bce2a0ee44d57c7c8f31d6776b
Instruction Fuzzy Hash: B2510531A0D9594FDB94FB389859AF9B7E1FF59351F0801BAE00DD32A2CE389842C745

Function 00007FF848E7366C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070a2e9f95e22dcca5132950fcc539fed99702e17b829e6dffbada1c3acb2be1
Instruction ID: e9bc81a4ad289cc05b09ba8055d645bf85160d5b9d3acbb12e4db48cbd22b4bc
Opcode Fuzzy Hash: 070a2e9f95e22dcca5132950fcc539fed99702e17b829e6dffbada1c3acb2be1
Instruction Fuzzy Hash: 69517031908A1C8FDB98EB58D845BE9BBF1FB59350F0082AAD44DD3252DF34A9858F81

Function 00007FF848E78F6A Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58956180a9af4509d9602a853e57c35e4e29a8673380449d8adf485c7805859
Instruction ID: 880736c7df567758bd6a16452aa059ac3f73467df02ac6e270a10a89edf9be67
Opcode Fuzzy Hash: c58956180a9af4509d9602a853e57c35e4e29a8673380449d8adf485c7805859
Instruction Fuzzy Hash: FC51F27090CA4D8FD749EF68D859AB87BE0FF56360F0841AED00DC7292DB38A846CB51

Function 00007FF848E71738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998c0d5d7338217dfb9a1c7e0e4bbe2880aa8a2c8c31f621e4b344b8eea3e6d4
Instruction ID: de81761da2cdd97d0794b3cdb049a7cdbd1af8c505adc68fbf88d803112deb41
Opcode Fuzzy Hash: 998c0d5d7338217dfb9a1c7e0e4bbe2880aa8a2c8c31f621e4b344b8eea3e6d4
Instruction Fuzzy Hash: 4D510230D0D7868FE74AA73458222A9BFA1FF163A0F1802B9C459C71D3DF6DA846C755

Function 00007FF848E705A0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd1dc028585f17ab24c9630bbad7dc798571b24331b095f22ae1092a1639fe1
Instruction ID: b5dcdb1079cd4a5f5a426f6eecfa11ad1306923f9c293bb48f0a9f589cf5eeef
Opcode Fuzzy Hash: 4dd1dc028585f17ab24c9630bbad7dc798571b24331b095f22ae1092a1639fe1
Instruction Fuzzy Hash: DE414621F1DE8A4FE398F63C945A67977D2FB85790F0804B9E44DC3296DE28AC428746

Function 00007FF848E70740 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa901678c32d4579076dbcacda55e2d27d28292d365d2001cfbfff3297aebac
Instruction ID: fc69e6fa32a490a6f94dfb5a5c1d2deb7e3d94518cd584732d3a80bc8d9ad71d
Opcode Fuzzy Hash: ffa901678c32d4579076dbcacda55e2d27d28292d365d2001cfbfff3297aebac
Instruction Fuzzy Hash: C5517030A289299FEB98FB28D8456BC77E2FF98740F500179E40ED3295CF34A8429B44

Function 00007FF848E786F1 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb15ad73bdbbd4674676122c9cdda6d56aaa5d7ad83ab831d65808b04ff58bd
Instruction ID: cf520b7b18012c9f5371cc565c9cd9b73c2245dbeb8a0a54d38141d00012d2f4
Opcode Fuzzy Hash: ddb15ad73bdbbd4674676122c9cdda6d56aaa5d7ad83ab831d65808b04ff58bd
Instruction Fuzzy Hash: 7D51AF30A1D9699FEB94EB28D8556BC7BF2FF68740F4400BAE40DD3292DF3868028744

Function 00007FF848E7148D Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b867c08f2691fee894341a62204125972b1a923c55ba3160eeb9e5a41593fc7f
Instruction ID: dd473c9ee4c8796ac422b5ec974c286bb8284b02f6b65b14488e10eee24e3427
Opcode Fuzzy Hash: b867c08f2691fee894341a62204125972b1a923c55ba3160eeb9e5a41593fc7f
Instruction Fuzzy Hash: 38516E7490DA5C8FEB9CEF68D459BA97BE0FF55311F0401AEE00AC3691CB759941CB41

Function 00007FF848E70B5E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad882b286b0854f76d0f51b483eb1e7334bab7a65d9adb7a72ce6db3a62c5b6
Instruction ID: 566816b1e0d5d12ad2221f9626a60621748e9e0357338a17dc7e110f4f9b1ca8
Opcode Fuzzy Hash: dad882b286b0854f76d0f51b483eb1e7334bab7a65d9adb7a72ce6db3a62c5b6
Instruction Fuzzy Hash: 95410420B1DA890FE389A77C5869379BBD1EF9A755F0801FAE04DC72D7DE285C068351

Function 00007FF848E70780 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a683a80081556beedf2a95fc664786bd2dd7331494267dc8df1ea925ed0007e
Instruction ID: 92d90156fb4a3da4728f8885d5dd7dd50c09112bbc212626d08154828da0f51d
Opcode Fuzzy Hash: 8a683a80081556beedf2a95fc664786bd2dd7331494267dc8df1ea925ed0007e
Instruction Fuzzy Hash: 8A416D74A09A5D8FEB9CEF68D459BB9B7E0FB65301F04017EE00AD3691CB75E8418B41

Function 00007FF848E78131 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98b5af8cc0a47f0254760f4eef56f51539d8217a989697cdd6ed907f3425d05
Instruction ID: 8f0d1b47575ec3c21496d14b24b5d73e2d724cdc8744075690bb445989091940
Opcode Fuzzy Hash: e98b5af8cc0a47f0254760f4eef56f51539d8217a989697cdd6ed907f3425d05
Instruction Fuzzy Hash: 2041B071A1C9599FEB84FB6884596FC7BF2FFA9351F0401BAD409D3292DF3898428B14

Function 00007FF848E789D0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c13626dcbd03e5d67f89fac990b94025276d1e2a45f807d7d8e12d7d02ff16
Instruction ID: 329b68f1d39566d24f0c32415fa1319ba28d21d4614ad52759253af0558b681e
Opcode Fuzzy Hash: 32c13626dcbd03e5d67f89fac990b94025276d1e2a45f807d7d8e12d7d02ff16
Instruction Fuzzy Hash: 15418070A1891C8FDB98EB78C459AADB7E2FF98350F540179E00ED32A6DE34AC41CB40

Function 00007FF848E704C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6387abb8ddf433b37bcf03168b9c632af3a8fffeef932db989f968b52c020d8e
Instruction ID: eb9e4863dd86c16052a0ce0102fbbcd50c63e292116ff29fe93f8919ab5b685e
Opcode Fuzzy Hash: 6387abb8ddf433b37bcf03168b9c632af3a8fffeef932db989f968b52c020d8e
Instruction Fuzzy Hash: D531E220B2D9495FE788FB2C946A779A6C2EB98755F0401BEE00EC32D7DE689C028341

Function 00007FF848E782F5 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec849fb3835fa63e7deb7e1b8836b4b5245976d0a2300c551348e60d799f887e
Instruction ID: 992d94729407c913e4bf63aac97e92cfdbaec40bfb86a01df667074abb35b813
Opcode Fuzzy Hash: ec849fb3835fa63e7deb7e1b8836b4b5245976d0a2300c551348e60d799f887e
Instruction Fuzzy Hash: 15411331C0C98A6FE349A7289C521F97BA0FF562A0F5801FAD04ACB1D2DE2C28478349

Function 00007FF848E70E11 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6eaeca897d72ad679481088e054e110115e8b0c11ccfa0bd4b826920f81041e
Instruction ID: c256f7d496a697d00627a8f4226a18ba131cb1fec488f0cf1af2553f8e2d15a0
Opcode Fuzzy Hash: c6eaeca897d72ad679481088e054e110115e8b0c11ccfa0bd4b826920f81041e
Instruction Fuzzy Hash: 9F31D221F1CD595FEB88B6BC581A3B9A7D2FB98791F044176E00DC3297DE2898014751

Function 00007FF848E70710 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cea3317bf7bcd7a2544ba69ada4fd28dba649d1a583f78920f015c8d9d72ab8
Instruction ID: cef2a726d37786963483c5bea0d7d726303b2c802ed21ffc28c8c7061c2096ed
Opcode Fuzzy Hash: 0cea3317bf7bcd7a2544ba69ada4fd28dba649d1a583f78920f015c8d9d72ab8
Instruction Fuzzy Hash: AB416A30E0CA0A8FEB98FB6894556B9B6E1FF58350F14017DD01ED3282DF39A841CB45

Function 00007FF848E70CC1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39570cf4b6f10a6792b4a5d9562d36544da2ffa29c44ddfa8b8452565023f69f
Instruction ID: e30aa85911eebd7e1c4938ce7c8b867f6f60264edf20d1a2933a5b53f1bbfab8
Opcode Fuzzy Hash: 39570cf4b6f10a6792b4a5d9562d36544da2ffa29c44ddfa8b8452565023f69f
Instruction Fuzzy Hash: 1E419E70A19A4E9FEB48FBB894656EDBBA1FF89340F5404B9D009D328ADE3869018754

Function 00007FF848E70E30 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dccdd42759028090ad1300e76e29e6ea38e96e4185120ab91db9046a5b49de6
Instruction ID: eff1f1a06c79c6e2077f3fe10bb54c713a5a5a05320f5eb19280421810726ae1
Opcode Fuzzy Hash: 5dccdd42759028090ad1300e76e29e6ea38e96e4185120ab91db9046a5b49de6
Instruction Fuzzy Hash: BC31E321F28D195FEB88B6BC584E3BDA6D2FF98B91F144176E00DC3286DE68A8014791

Function 00007FF848E79335 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70224f4f7dc9ad478b2326d36a8d62ea5e447dc5cd1baf06b68229cc83de89aa
Instruction ID: e994a8b6126016d388eb6b47da17a70d1f8dbd8ea2a2ee71e39e7586ec0ce493
Opcode Fuzzy Hash: 70224f4f7dc9ad478b2326d36a8d62ea5e447dc5cd1baf06b68229cc83de89aa
Instruction Fuzzy Hash: 51318F3140DB489FDB19DBA8D889AE9BBF0FF56320F0482AFD089C7552D764A405CB51

Function 00007FF848E77FF9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a23c63d610beb95b2ebd021f68370a75abc39b9f0d28025f0bac0585c9c739
Instruction ID: 6e9de40fb104dc337676e1ed1bac142444ad0602986de1ca5add7318fdcab855
Opcode Fuzzy Hash: c8a23c63d610beb95b2ebd021f68370a75abc39b9f0d28025f0bac0585c9c739
Instruction Fuzzy Hash: AD31F630A0DA999FEB46FB38C8999A87BF1FF16350B0405E6D408C7296DF38A842C745

Function 00007FF848E78B31 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c317ad6abb3cdb1aa410f865f3d506a856beaeb2bf416581785fe3c14b31e81
Instruction ID: 384548eb6e1e192bc659354aa92078cf3532b5ea4f935c47c83aadc09daed740
Opcode Fuzzy Hash: 3c317ad6abb3cdb1aa410f865f3d506a856beaeb2bf416581785fe3c14b31e81
Instruction Fuzzy Hash: ED21C071A0C96D4FDB58EB2894996BDB7E0FF68351F04067ED04ED3292CF3968028749

Function 00007FF848E713D5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded75c886d788c61d1b1745bc95fe382a24d2f3ffe29324be3b65b2155bd1dd6
Instruction ID: 78fe9eb721fa21e680b70f6a6dbed0cbbbf502456a11f4f8ad296d1692ea948b
Opcode Fuzzy Hash: ded75c886d788c61d1b1745bc95fe382a24d2f3ffe29324be3b65b2155bd1dd6
Instruction Fuzzy Hash: 57219E21E1D7429FE769B67884562BD26A2BF91790F5810B9E00DC72C7EF3DA8024399

Function 00007FF848E79259 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee17c73027aa61ed46bded29eabb5fbada17ae79026fa368be12db6cc84b25d0
Instruction ID: 574190ac1024a6b3cf427fbe60026ed8f5680d19933178ae790ab58eba890ea9
Opcode Fuzzy Hash: ee17c73027aa61ed46bded29eabb5fbada17ae79026fa368be12db6cc84b25d0
Instruction Fuzzy Hash: 87216D30A4C9CA0FE746F77848165F97BD2FF9A250F0441BAD549C7192DF2C98028355

Function 00007FF848E79141 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c21a51809bffed25928861685f62eeb251be7311d6933972ced9c6e6288b96
Instruction ID: 96c37f9452cd0f9adc74f95dc707080e945e8f9772aa5ae5b0bb9ef957a0eda3
Opcode Fuzzy Hash: 85c21a51809bffed25928861685f62eeb251be7311d6933972ced9c6e6288b96
Instruction Fuzzy Hash: BC21D550A2DD996FE749B76C54267E9B7D1FF54740F5801B5E00CC32C3CE2C680187A6

Function 00007FF848E712C1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cff489ba4ecfa336814e7bcd2f09d1174033d2cec6b375cc606d7a616716881
Instruction ID: d33998ae19359a4e260ffd0c0c046fc161d30548d934d2c3f3c21b614182e534
Opcode Fuzzy Hash: 6cff489ba4ecfa336814e7bcd2f09d1174033d2cec6b375cc606d7a616716881
Instruction Fuzzy Hash: 1811A1B1D1C6CD8FE789EF3854691BD7FE0EB66200F4800EFC44AD6596DE7511548701

Function 00007FF848E77C21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6babb223e42f00c1485b1768eb90981b102bce290295452659619232d92a403b
Instruction ID: e4a0f424982f637197c3199bebd22ba611b16b3349692b552a341bfd80ddc672
Opcode Fuzzy Hash: 6babb223e42f00c1485b1768eb90981b102bce290295452659619232d92a403b
Instruction Fuzzy Hash: 83110031E0DA9D4FDB44EBB8881A1FD7BE0FF28641F4001BBD408D7196EB2898408B82

Function 00007FF848E70738 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbac254ea11747927327a8d03b0f1aa006b6e4791c183cb590084cc50b94587
Instruction ID: b50b0a4fd529e5d5319afcc87f39d52b01eee92f51d23edd7bc5088287833104
Opcode Fuzzy Hash: ecbac254ea11747927327a8d03b0f1aa006b6e4791c183cb590084cc50b94587
Instruction Fuzzy Hash: 15F0A431E1891D5EEB54BB68944A1FE77E0FF58741F100177D419E3185DF3459404BC5

Function 00007FF848E7135D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71756ddec1a5c2c055d00eb62b3371020486f23175983ff5644698d3c3dd46c
Instruction ID: 136727d0f250b483b23dd14437611db8bfeb822cdf6a85911a048b8660156d5f
Opcode Fuzzy Hash: a71756ddec1a5c2c055d00eb62b3371020486f23175983ff5644698d3c3dd46c
Instruction Fuzzy Hash: 2F01D120E1EB869FE7A9B778446A2796AD1FF91380F5500BAD00AC35C7DE2DA8418345

Function 00007FF848E7143B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650e512c49b5f87d3ab5d87ad534deee5ffad65a1fc79d9b976a233b36eaad2e
Instruction ID: 04e1b1226ebcb116b093daed6d45edf4bc8a8bbb6ae469603a4dc2e74e1c0e92
Opcode Fuzzy Hash: 650e512c49b5f87d3ab5d87ad534deee5ffad65a1fc79d9b976a233b36eaad2e
Instruction Fuzzy Hash: A1F06D30D0C656DEE361FB28C045A7DB6A2FFA4790F540674D01DC22C6EF39B8518799

Function 00007FF848E71141 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ee88852b8916e8581dccb5900a562968e84188ade90f5623e69ce890bebd76
Instruction ID: 31d832d0d71f26ef7ed2458a99ea28caf28c849c6e03e203c72f28d0a25e9c7b
Opcode Fuzzy Hash: 37ee88852b8916e8581dccb5900a562968e84188ade90f5623e69ce890bebd76
Instruction Fuzzy Hash: B6E0C2328683CD4FD7427AA058221DA7B24FF51200F4105CBF41CC7052E72096188382

Function 00007FF848E71284 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7c3b83de1a810af6a9c0b0d46c37e59a6265fc999acb8ebbf95868d715d9f0
Instruction ID: 79a37955dabc4ba17d212ad3967e951007b01586e7893ad4939f3a806e5177b0
Opcode Fuzzy Hash: cd7c3b83de1a810af6a9c0b0d46c37e59a6265fc999acb8ebbf95868d715d9f0
Instruction Fuzzy Hash: 89D05B05C5D2C70FE70B32B80C965947F519E132E0F4903D1D454C74D3ED5D549A537A

Function 00007FF848E70795 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4539322467.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_cake.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction ID: 0d37d49b1ec977b98c2e1cc03cba346319c6a96e2bd581e8c0302902180e3834
Opcode Fuzzy Hash: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction Fuzzy Hash: 46B01200E7E4870CD40932B909470FCBB70BF9A274FD504F0D88C80183DA5D14F74286

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cake.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
cake.exe