Edit tour

Windows Analysis Report
7R4CQlalZQ.exe

Overview

General Information

Sample name:	7R4CQlalZQ.exe renamed because original name is a hash value
Original sample name:	490ceab952abd5b62925e15f4b7aa533.exe
Analysis ID:	1528658
MD5:	490ceab952abd5b62925e15f4b7aa533
SHA1:	8ea352821a52ea4daf51913ab1b193fc8b0417c2
SHA256:	290ab569c993fc3c2fcfeb1586eef058a0314893fc0c25219ba9915232a70280
Tags:	32exenjrattrojan
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious Malware Callback Communication

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

7R4CQlalZQ.exe (PID: 2828 cmdline: "C:\Users\user\Desktop\7R4CQlalZQ.exe" MD5: 490CEAB952ABD5B62925E15F4B7AA533)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["193.233.255.34"], "Port": "7777", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
7R4CQlalZQ.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7R4CQlalZQ.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x68f2:$cnc4: POST / HTTP/1.1
00000000.00000002.4473608213.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 7R4CQlalZQ.exe PID: 2828	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.7R4CQlalZQ.exe.d30000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.7R4CQlalZQ.exe.d30000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 193.233.255.34, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\Desktop\7R4CQlalZQ.exe, Initiated: true, ProcessId: 2828, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T08:15:11.280839+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:11.540481+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:14.938402+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:27.719257+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:41.013793+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:41.276267+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:54.245089+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:07.604534+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:08.526313+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:09.620293+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:11.151175+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:11.315519+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:14.105833+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:20.140163+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:27.043234+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:30.168028+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:30.291630+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:30.409190+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:35.417748+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:36.464010+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:36.581252+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:41.290008+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:41.604553+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:46.902073+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.494606+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.612237+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.729670+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.863226+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:53.321994+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:55.340468+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:57.901385+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:08.464010+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:08.581636+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:09.870063+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:11.293087+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:18.899107+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:19.031523+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:20.934757+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:22.894986+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:24.339711+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:25.135672+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:30.276304+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:30.393732+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:30.860937+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:33.229310+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:37.637527+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:41.295629+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:50.995410+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:51.374674+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:51.552009+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:54.620314+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:55.693402+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:56.077652+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:59.574108+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:00.807569+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:06.387998+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:06.503075+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:07.341222+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:11.293009+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:16.885906+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:20.201558+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:27.792490+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:28.838524+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:29.452297+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:30.622234+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:32.339548+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:34.028610+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:37.214769+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:37.354657+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:40.917884+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:41.294912+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:42.932864+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:43.050549+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:43.168397+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:48.477531+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:49.260904+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:52.074295+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:52.573170+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:19:02.184085+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:19:11.293586+0200	2852870	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T08:15:14.947156+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:27.721501+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:41.035704+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:54.247258+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:07.607030+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:08.528370+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:09.630128+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:11.153955+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:14.107923+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:20.142319+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:27.057615+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:30.170226+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:30.293566+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:30.410982+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:35.425633+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:36.466105+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:36.583303+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:36.699822+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:41.609959+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:46.904419+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.497566+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.614727+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.732635+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.865031+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:53.327121+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:55.344600+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:57.904254+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:08.467044+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:08.583785+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:09.877140+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:18.901180+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:19.039507+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:20.936810+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:22.897001+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:24.357492+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:25.143536+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.278329+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.512601+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.518090+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.629584+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.745509+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.864713+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:33.235279+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:37.640862+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:50.997930+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:51.380293+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:51.562623+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:54.622463+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:55.702105+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:56.079740+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:59.581308+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:00.809490+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:06.391069+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:06.505266+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:07.348550+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:16.887525+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:20.203318+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:27.795473+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:28.839844+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:29.455634+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:30.657271+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:32.341304+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:34.034579+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:37.216489+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:37.358161+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:40.919395+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:42.934861+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:43.051691+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:43.169875+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:48.479483+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:49.268170+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:52.080110+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:52.575039+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:19:02.184885+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T08:15:11.280839+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:11.540481+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:41.276267+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:11.315519+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:41.290008+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:11.293087+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:41.295629+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:11.293009+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:41.294912+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:19:11.293586+0200	2852874	1	Malware Command and Control Activity Detected	193.233.255.34	7777	192.168.2.5	49704	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T08:16:52.285229+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49704	193.233.255.34	7777	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7R4CQlalZQ.exe

Avira: detected

Found malware configuration

Source: 7R4CQlalZQ.exe

Malware Configuration Extractor: Xworm {"C2 url": ["193.233.255.34"], "Port": "7777", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for domain / URL

Source: 193.233.255.34

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Source: 7R4CQlalZQ.exe	ReversingLabs: Detection: 84%
Source: 7R4CQlalZQ.exe	Virustotal: Detection: 84%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 7R4CQlalZQ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 7R4CQlalZQ.exe	String decryptor: 193.233.255.34
Source: 7R4CQlalZQ.exe	String decryptor: 7777
Source: 7R4CQlalZQ.exe	String decryptor: <123456789>
Source: 7R4CQlalZQ.exe	String decryptor: <Xwormmm>
Source: 7R4CQlalZQ.exe	String decryptor: XWorm V5.6
Source: 7R4CQlalZQ.exe	String decryptor: USB.exe

Source: 7R4CQlalZQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7R4CQlalZQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.233.255.34:7777 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 193.233.255.34:7777 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 193.233.255.34:7777
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 193.233.255.34:7777
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 193.233.255.34:7777

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.233.255.34

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 193.233.255.34:7777

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.255.34

Source: 7R4CQlalZQ.exe, 00000000.00000002.4473608213.0000000003241000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 7R4CQlalZQ.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.7R4CQlalZQ.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E85D76	0_2_00007FF848E85D76
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E86B22	0_2_00007FF848E86B22
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E896B4	0_2_00007FF848E896B4

Source: 7R4CQlalZQ.exe, 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 7R4CQlalZQ.exe
Source: 7R4CQlalZQ.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs 7R4CQlalZQ.exe

Source: 7R4CQlalZQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7R4CQlalZQ.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.7R4CQlalZQ.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 7R4CQlalZQ.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7R4CQlalZQ.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7R4CQlalZQ.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\RPVmSS9pizbP4j38

Source: 7R4CQlalZQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7R4CQlalZQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7R4CQlalZQ.exe	ReversingLabs: Detection: 84%
Source: 7R4CQlalZQ.exe	Virustotal: Detection: 84%

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 7R4CQlalZQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7R4CQlalZQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7R4CQlalZQ.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7R4CQlalZQ.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 7R4CQlalZQ.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 7R4CQlalZQ.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 7R4CQlalZQ.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E87558 push ebx; iretd	0_2_00007FF848E8756A
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E87548 push ebx; iretd	0_2_00007FF848E8756A
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E87538 push ebx; iretd	0_2_00007FF848E8756A
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Code function: 0_2_00007FF848E87528 push ebx; iretd	0_2_00007FF848E8756A

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Memory allocated: 1270000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Memory allocated: 1B240000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Window / User API: threadDelayed 9296			Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	Window / User API: threadDelayed 553			Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe TID: 3040	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe TID: 728	Thread sleep count: 9296 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe TID: 728	Thread sleep count: 553 > 30	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7R4CQlalZQ.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 7R4CQlalZQ.exe, 00000000.00000002.4472043958.000000000133F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Queries volume information: C:\Users\user\Desktop\7R4CQlalZQ.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 7R4CQlalZQ.exe, 00000000.00000002.4475004158.000000001BFA0000.00000004.00000020.00020000.00000000.sdmp, 7R4CQlalZQ.exe, 00000000.00000002.4475004158.000000001BFCD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\7R4CQlalZQ.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 7R4CQlalZQ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7R4CQlalZQ.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4473608213.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7R4CQlalZQ.exe PID: 2828, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 7R4CQlalZQ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7R4CQlalZQ.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4473608213.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7R4CQlalZQ.exe PID: 2828, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	232 Virtualization/Sandbox Evasion	LSASS Memory	232 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7R4CQlalZQ.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
7R4CQlalZQ.exe	85%	Virustotal		Browse
7R4CQlalZQ.exe	100%	Avira	HEUR/AGEN.1305769
7R4CQlalZQ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
193.233.255.34	10%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
193.233.255.34	true	10%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	7R4CQlalZQ.exe, 00000000.00000002.4473608213.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.255.34	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528658
Start date and time:	2024-10-08 08:14:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7R4CQlalZQ.exe renamed because original name is a hash value
Original Sample Name:	490ceab952abd5b62925e15f4b7aa533.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 42 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 7R4CQlalZQ.exe, PID 2828 because it is empty

Simulations

Behavior and APIs

Time	Type	Description
02:14:58	API Interceptor	16897760x Sleep call for process: 7R4CQlalZQ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.255.34	dY3l5qveUD.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	147.45.44.104
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	147.45.44.104
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	147.45.44.104
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	http://hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe#xin	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.44.104
	http://hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exe	Get hash	malicious	Unknown	Browse	147.45.44.104
	http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exe	Get hash	malicious	Unknown	Browse	147.45.44.104
	T8TY28UxiT.dll	Get hash	malicious	Unknown	Browse	147.45.116.5
	T8TY28UxiT.dll	Get hash	malicious	Unknown	Browse	147.45.116.5

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.590350810316808
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	7R4CQlalZQ.exe
File size:	33'280 bytes
MD5:	490ceab952abd5b62925e15f4b7aa533
SHA1:	8ea352821a52ea4daf51913ab1b193fc8b0417c2
SHA256:	290ab569c993fc3c2fcfeb1586eef058a0314893fc0c25219ba9915232a70280
SHA512:	eef0a6e1e0877ac549bae7408ef52fe59036be96f3f1694b19c466da64349a5a133ab169c177a3e7be09166e7cd39d230913ed6890e3942a5831706858b258b0
SSDEEP:	768:iVa+vNtg+PB93Tw4e1dVFE9jjXOjhybe:svNtgw93U4epFE9jjXOjYC
TLSH:	66E23B4877D44712DAEEAFB12DF362061270D517E923EF6E0CE485EA2B67AC047407E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...79.f.................x..........n.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F93937 [Sun Sep 29 11:25:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x971c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	948534709a4644d7fbbb44e6d0c61676	False	0.5010416666666667	data	5.741433702369465	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	3ee5eb55d2c84cad34ece42377c6f250	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T08:15:11.280839+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:11.280839+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:11.540481+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:11.540481+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:13.961258+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:14.938402+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:14.947156+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:27.719257+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:27.721501+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:41.013793+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:41.035704+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:15:41.276267+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:41.276267+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:54.245089+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:15:54.247258+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:07.604534+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:07.607030+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:08.526313+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:08.528370+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:09.620293+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:09.630128+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:11.151175+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:11.153955+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:11.315519+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:11.315519+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:14.105833+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:14.107923+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:20.140163+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:20.142319+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:27.043234+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:27.057615+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:30.168028+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:30.170226+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:30.291630+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:30.293566+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:30.409190+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:30.410982+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:35.417748+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:35.425633+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:36.464010+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:36.466105+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:36.581252+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:36.583303+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:36.699822+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:41.290008+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:41.290008+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:41.604553+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:41.609959+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:46.902073+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:46.904419+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.285229+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.494606+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.497566+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.612237+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.614727+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.729670+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.732635+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:52.863226+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:52.865031+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:53.321994+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:53.327121+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:55.340468+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:55.344600+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:16:57.901385+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:16:57.904254+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:08.464010+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:08.467044+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:08.581636+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:08.583785+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:09.870063+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:09.877140+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:11.293087+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:11.293087+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:18.899107+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:18.901180+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:19.031523+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:19.039507+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:20.934757+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:20.936810+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:22.894986+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:22.897001+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:24.339711+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:24.357492+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:25.135672+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:25.143536+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.276304+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:30.278329+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.393732+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:30.512601+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.518090+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.629584+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.745509+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:30.860937+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:30.864713+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:33.229310+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:33.235279+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:37.637527+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:37.640862+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:41.295629+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:41.295629+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:50.995410+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:50.997930+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:51.374674+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:51.380293+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:51.552009+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:51.562623+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:54.620314+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:54.622463+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:55.693402+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:55.702105+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:56.077652+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:56.079740+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:17:59.574108+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:17:59.581308+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:00.807569+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:00.809490+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:06.387998+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:06.391069+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:06.503075+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:06.505266+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:07.341222+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:07.348550+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:11.293009+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:11.293009+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:16.885906+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:16.887525+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:20.201558+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:20.203318+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:27.792490+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:27.795473+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:28.838524+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:28.839844+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:29.452297+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:29.455634+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:30.622234+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:30.657271+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:32.339548+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:32.341304+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:34.028610+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:34.034579+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:37.214769+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:37.216489+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:37.354657+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:37.358161+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:40.917884+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:40.919395+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:41.294912+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:41.294912+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:42.932864+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:42.934861+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:43.050549+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:43.051691+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:43.168397+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:43.169875+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:48.477531+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:48.479483+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:49.260904+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:49.268170+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:52.074295+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:52.080110+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:18:52.573170+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:18:52.575039+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:19:02.184085+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:19:02.184885+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	193.233.255.34	7777	TCP
2024-10-08T08:19:11.293586+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.233.255.34	7777	192.168.2.5	49704	TCP
2024-10-08T08:19:11.293586+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.233.255.34	7777	192.168.2.5	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 08:15:00.430834055 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:00.437066078 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:00.437268972 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:00.598798990 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:00.605367899 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:11.280838966 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:11.331654072 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:11.540481091 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:11.540549040 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:13.961257935 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:14.269135952 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:14.733417034 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:14.733432055 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:14.938401937 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:14.947155952 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:14.952400923 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:27.318968058 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:27.512088060 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:27.719257116 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:27.721501112 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:27.726931095 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:40.678242922 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:40.808664083 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:41.013792992 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:41.035703897 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:41.041146040 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:41.276267052 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:41.316134930 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:54.035392046 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:54.040366888 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:54.245089054 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:15:54.247257948 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:15:54.252772093 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:07.394561052 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:07.400000095 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:07.604533911 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:07.607029915 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:07.612412930 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:08.316581011 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:08.321816921 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:08.526313066 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:08.528369904 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:08.533293962 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:09.410372972 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:09.415436029 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:09.620292902 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:09.630127907 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:09.635206938 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:10.941437960 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:10.946868896 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:11.151175022 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:11.153954983 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:11.159310102 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:11.315519094 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:11.409833908 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:13.895905972 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:13.901159048 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:14.105833054 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:14.107923031 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:14.113312006 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:19.926115036 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:19.931781054 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:20.140162945 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:20.142318964 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:20.148010969 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:26.833148003 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:26.838637114 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:27.043234110 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:27.057615042 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:27.062920094 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:29.957092047 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:29.962652922 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.081971884 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:30.087049007 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.097479105 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:30.102576017 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.168028116 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.170226097 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:30.176115990 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.291630030 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.293565989 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:30.298966885 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.409189939 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:30.410981894 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:30.416220903 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:35.207550049 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:35.212838888 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:35.417747974 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:35.425632954 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:35.431539059 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.254112959 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.259305000 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.285198927 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.292717934 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.300733089 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.305960894 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.316266060 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.321168900 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.331964016 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.337165117 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.464010000 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.466104984 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.471210957 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.581252098 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.583302975 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.588355064 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.698116064 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.699821949 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.705044985 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:36.705108881 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:36.710966110 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:41.290008068 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:41.394510031 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:41.399925947 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:41.604552984 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:41.609958887 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:41.615302086 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:46.692047119 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:46.697362900 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:46.902072906 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:46.904418945 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:46.909708023 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.285228968 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.290378094 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.394537926 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.399548054 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.425760031 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.430831909 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.494606018 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.497565985 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.502377033 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.612236977 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.614727020 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.619923115 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.629012108 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.634125948 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.729670048 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.732635021 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.738022089 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.863225937 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.865031004 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.870513916 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:52.964315891 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:52.970304966 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:53.321994066 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:53.327121019 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:53.332828999 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:55.130290031 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:55.135898113 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:55.340467930 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:55.344599962 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:55.350006104 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:57.691401005 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:57.696468115 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:57.901385069 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:16:57.904253960 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:16:57.909780979 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:08.254050016 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:08.259375095 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:08.347771883 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:08.353228092 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:08.464010000 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:08.467044115 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:08.472284079 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:08.581635952 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:08.583785057 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:08.589001894 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:09.660393953 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:09.665772915 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:09.870063066 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:09.877140045 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:09.882472992 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:11.293087006 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:11.409989119 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:18.457561970 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:18.693898916 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:18.821460962 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:18.826819897 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:18.899106979 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:18.901180029 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:18.906241894 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:19.031522989 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:19.039506912 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:19.044815063 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:20.722774029 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:20.728262901 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:20.934756994 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:20.936810017 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:20.945466042 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:22.675823927 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:22.681195021 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:22.894985914 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:22.897001028 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:22.902000904 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:24.129873991 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:24.135411978 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:24.339710951 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:24.357491970 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:24.362632036 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:24.925756931 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:24.931163073 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:25.135672092 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:25.143536091 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:25.148912907 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.066529036 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.072045088 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.097611904 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.103020906 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.113353014 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.118464947 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.175909042 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.180918932 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.191443920 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.196942091 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.222675085 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.228171110 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.269471884 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.274580002 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.276304007 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.278328896 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.331598997 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.331804037 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.337308884 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.347692966 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.353749037 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.363280058 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.368370056 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.393732071 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.394615889 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.447408915 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.447607040 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.452585936 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.510649920 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.512600899 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.517852068 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.518090010 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.523252964 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.627521992 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.629584074 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.635015965 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.635204077 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.640593052 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.744102001 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.745508909 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.750438929 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.750638962 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.755625963 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.860937119 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:30.864712954 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:30.869771957 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:33.019761086 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:33.024955988 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:33.229310036 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:33.235279083 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:33.240236044 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:37.427687883 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:37.432935953 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:37.637526989 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:37.640861988 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:37.646173954 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:41.295629025 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:41.411269903 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:50.785521030 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:50.791023016 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:50.995409966 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:50.997930050 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:51.003360987 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:51.035092115 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:51.040441036 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:51.050744057 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:51.055903912 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:51.374674082 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:51.380292892 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:51.385694981 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:51.552009106 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:51.562623024 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:51.567994118 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:54.410394907 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:54.415591955 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:54.620313883 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:54.622462988 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:54.627793074 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:55.474198103 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:55.479665041 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:55.693402052 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:55.702105045 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:55.707561970 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:55.725964069 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:55.731435061 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:56.077651978 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:56.079740047 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:56.085206985 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:59.364070892 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:59.369687080 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:59.574107885 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:17:59.581307888 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:17:59.586637020 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:00.597798109 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:00.603341103 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:00.807569027 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:00.809489965 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:00.814896107 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:06.175723076 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:06.181195021 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:06.207035065 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:06.212596893 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:06.387998104 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:06.391068935 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:06.397705078 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:06.503074884 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:06.505265951 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:06.510603905 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:07.131185055 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:07.136717081 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:07.341222048 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:07.348550081 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:07.354034901 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:11.293009043 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:11.347543955 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:16.675988913 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:16.681447983 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:16.885905981 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:16.887525082 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:16.892930984 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:19.990921974 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:19.996563911 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:20.201558113 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:20.203318119 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:20.209109068 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:27.582777023 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:27.588190079 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:27.792490005 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:27.795473099 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:27.800419092 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:28.628927946 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:28.634274960 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:28.838524103 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:28.839843988 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:28.846002102 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:29.242396116 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:29.247787952 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:29.452296972 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:29.455634117 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:29.461085081 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:30.411025047 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:30.416625977 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:30.622234106 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:30.657270908 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:30.662543058 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:32.128957033 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:32.134361029 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:32.339548111 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:32.341304064 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:32.346878052 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:33.818233013 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:33.823755980 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:34.028609991 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:34.034579039 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:34.040036917 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:37.003979921 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:37.009521961 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:37.144459009 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:37.150032043 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:37.214768887 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:37.216489077 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:37.221870899 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:37.354656935 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:37.358160973 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:37.363643885 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:40.707050085 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:40.712798119 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:40.917884111 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:40.919394970 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:40.924772978 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:41.294912100 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:41.347470045 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:42.722917080 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:42.728681087 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:42.816503048 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:42.821973085 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:42.878884077 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:42.884426117 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:42.932863951 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:42.934860945 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:42.983692884 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:43.050549030 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:43.051691055 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:43.056991100 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:43.168396950 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:43.169874907 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:43.175504923 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:48.130182028 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:48.136876106 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:48.477530956 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:48.479482889 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:48.485706091 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:49.050827980 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:49.056478024 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:49.260904074 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:49.268170118 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:49.273655891 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:51.864178896 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:51.869689941 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:52.074295044 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:52.080110073 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:52.085484028 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:52.363462925 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:52.368966103 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:52.573169947 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:18:52.575038910 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:18:52.580668926 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:19:01.973582983 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:19:01.979023933 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:19:02.184084892 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:19:02.184885025 CEST	49704	7777	192.168.2.5	193.233.255.34
Oct 8, 2024 08:19:02.190372944 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:19:11.293586016 CEST	7777	49704	193.233.255.34	192.168.2.5
Oct 8, 2024 08:19:11.347435951 CEST	49704	7777	192.168.2.5	193.233.255.34

Target ID:	0
Start time:	02:14:55
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\7R4CQlalZQ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\7R4CQlalZQ.exe"
Imagebase:	0xd30000
File size:	33'280 bytes
MD5 hash:	490CEAB952ABD5B62925E15F4B7AA533
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2025480520.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4473608213.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF848E896B4 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848E8A16F

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2eb80f1543bab61cc22e2323115c233b2cf0fd7bc5f1cc6f39b3c76e6483579f
Instruction ID: bee7c9c699569ad04b0017542bee4c85909510e2b4d1f9a67fcd59c4bb998734
Opcode Fuzzy Hash: 2eb80f1543bab61cc22e2323115c233b2cf0fd7bc5f1cc6f39b3c76e6483579f
Instruction Fuzzy Hash: 17627B30E1C90A9FEA98FB38845567DB2D2FF98384FA44578D10EC3286DF39E8429745

Function 00007FF848E85D76 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03c1c1ad48585b4526455f0e97dc07cfe323144cfcdc21fd18f9d1dd2947219
Instruction ID: 3e2966b0788ea97c96aed8a42696233e0b63c9506dfcd6b4a541e5e254fd3ee9
Opcode Fuzzy Hash: d03c1c1ad48585b4526455f0e97dc07cfe323144cfcdc21fd18f9d1dd2947219
Instruction Fuzzy Hash: B0F1A33090CA8E8FEBA8EF28C8557E937E1FF55350F44426AE84DC7291DF3499458B86

Function 00007FF848E86B22 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc8c17e477c2bd37f84fa22b0ab6872e0964888bfe43f354950f0f08f047b51
Instruction ID: f826f056b5dc958e6876f61b9f30645963159159d584f8da0ce1afaac62eb736
Opcode Fuzzy Hash: 2fc8c17e477c2bd37f84fa22b0ab6872e0964888bfe43f354950f0f08f047b51
Instruction Fuzzy Hash: 78E1B33090CA8D8FEBA8EF28C8597E937D1FB54350F44466AE84DC72A1DF7499458B81

Function 00007FF848E87CE1 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848E87D53

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: f421f0752a7e2e1a57450bcab6e901b75afdf0db1163f6349eb593fd2a9bddb8
Instruction ID: 2a3e7489260979806ed8585c64bcbfc1fa5d76430b23ef6cc23a80cf3161a280
Opcode Fuzzy Hash: f421f0752a7e2e1a57450bcab6e901b75afdf0db1163f6349eb593fd2a9bddb8
Instruction Fuzzy Hash: AA21BE31C0C29A4FEB05ABA48C456FDBBE0FF8A350F0901BAD449E71D2DB3C98458B95

Function 00007FF848E80758 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afedcafdbe92fc8041724c4bbe02349314bfbe8a1f878ec0956beb6b836ee22
Instruction ID: b84dc11296639871143451bb928b6369f64ae8799bcb6c64ba6530d384ac1684
Opcode Fuzzy Hash: 5afedcafdbe92fc8041724c4bbe02349314bfbe8a1f878ec0956beb6b836ee22
Instruction Fuzzy Hash: 47C1D230E2CD198FD799FB28849866977E1FB99394F9441B9E04EC32D6CF38A8418781

Function 00007FF848E81DD5 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372c49cf966cf357b35d800d41e0b845167b66fafd1cc4670c00895da30562a4
Instruction ID: 68dbc0d1489f95686d75c13ba39cad158cdac22a92cd41b18e0cde0c8e9f6d3a
Opcode Fuzzy Hash: 372c49cf966cf357b35d800d41e0b845167b66fafd1cc4670c00895da30562a4
Instruction Fuzzy Hash: 07B11321E1DD894FE7A9B73844192BD6BD2FF99790F5801BAD04EC32C7DF2858428785

Function 00007FF848E86736 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b269e28595232698b7f83529ad7a550b1a30922b4c2a7e3602a34f97bd290237
Instruction ID: 5699388ce881f85f8132227e9b5b245c426470dd68d2b2233853afae04cfb7b0
Opcode Fuzzy Hash: b269e28595232698b7f83529ad7a550b1a30922b4c2a7e3602a34f97bd290237
Instruction Fuzzy Hash: 32B1E53050CA8D8FEBA9EF28C8557E93BE0FF55350F44426AE84DC7292DB349945CB82

Function 00007FF848E82631 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504ac6961bac6ebf8a66e00ce7af044bcc0bdd1c9a469fe4e5611a4b37cd2bfb
Instruction ID: 6ca2882ae452cd6705d27971d03ed740457a593938578d37c661fe88ea152c9b
Opcode Fuzzy Hash: 504ac6961bac6ebf8a66e00ce7af044bcc0bdd1c9a469fe4e5611a4b37cd2bfb
Instruction Fuzzy Hash: E1816520719D05AFE688B76C845A77AF2D2FF98740F648175E00DC36D6CF3CA8418B66

Function 00007FF848E8845E Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50dcdbdf81c964308a18fd4341e98d49722176719ca5a3378f5e806ef6c5584
Instruction ID: 3737269d484e79de9ac94ee68cd3415aae806eea05a677c5828aba013f7618c9
Opcode Fuzzy Hash: e50dcdbdf81c964308a18fd4341e98d49722176719ca5a3378f5e806ef6c5584
Instruction Fuzzy Hash: E7812171E0D95A4FEB48FB3884562A8B7E0FF44390F8842B9D45DC3182DF38A8479795

Function 00007FF848E87DCD Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a4788d0425a16dfbbf408fe50d09bd5f9ba3c05aa1f38d7871b8dcb9a7df26
Instruction ID: 656b75065540e310805a9f4ce7a925734fef2139e4470f16425198eab4594ac0
Opcode Fuzzy Hash: b0a4788d0425a16dfbbf408fe50d09bd5f9ba3c05aa1f38d7871b8dcb9a7df26
Instruction Fuzzy Hash: F0516F70908A1C8FDB58EF68D845BEDBBF1FF99311F14426AD44DD3292DB34A8468B81

Function 00007FF848E80925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43c65634ae35bd6b23b5a59f94d4a5d4aa05b96bd994d9e8155d620b79779ff
Instruction ID: 5c3425162f2d55b8849d91561b96d6959eb629ffe24c1825ccabe1d173fa9991
Opcode Fuzzy Hash: d43c65634ae35bd6b23b5a59f94d4a5d4aa05b96bd994d9e8155d620b79779ff
Instruction Fuzzy Hash: AB51D221F1DD4E5FDB98B77884691BD77D1FF88290B9401B9E04EC32CADE38A8418765

Function 00007FF848E87568 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b356de702b13b70331e2a586a872255e6c30f945545e33b4eedd9cb19ed02f8
Instruction ID: 5dc1f8313aa6a56d97b61d1f4b7fd317a320ca45f54b49e90355d78292fd7525
Opcode Fuzzy Hash: 7b356de702b13b70331e2a586a872255e6c30f945545e33b4eedd9cb19ed02f8
Instruction Fuzzy Hash: 5C21D022D0EAD50FE356A73C68251BD7FA0FF56690B4801FBD088C71D3EB285C088796

Function 00007FF848E8897D Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bace070d6f551e9a1d2023fe692af3d33f93f81f86c5a64d356eeea12bc866
Instruction ID: 14e6b59f39ab63da71d1cb0c31c14a89de6655d1ed27f1c2a82491d7abcc8014
Opcode Fuzzy Hash: a2bace070d6f551e9a1d2023fe692af3d33f93f81f86c5a64d356eeea12bc866
Instruction Fuzzy Hash: 5751F131A1C9584FDB98F7389859AEDB7E1EF59351F1501BAE40DD32A2CE38A842C741

Function 00007FF848E886F1 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9ea1e4a1ebc937a54ed322c4750fc6a7d3a29289df34f8d99e69b502bdb2fb
Instruction ID: 7e3f2aceb50fb80106f9be969821f1024918fa2294391f18f3063c22b8b60fa4
Opcode Fuzzy Hash: fe9ea1e4a1ebc937a54ed322c4750fc6a7d3a29289df34f8d99e69b502bdb2fb
Instruction Fuzzy Hash: 57518F30A1D9599FEB88FB28D8556AC77F1FF48780F8441B9E40DD3292CF38A8428B41

Function 00007FF848E87578 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb555d08d6f9a74da3ac9e885d3303d992940525381e63cfc23ab10386444879
Instruction ID: f8c8638c387ac7fe67a980b1e430f8f517c7660e817382a088666cb8281ae002
Opcode Fuzzy Hash: eb555d08d6f9a74da3ac9e885d3303d992940525381e63cfc23ab10386444879
Instruction Fuzzy Hash: D0212F22E0EAD94FE746B73C28251BD7BB0FF56690B4801F7D088C71D7EA285C098796

Function 00007FF848E81738 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61486b5163de5075055654226ebf7075b981f2771f565c3a2814147544d8603e
Instruction ID: 745b07e44fe52704cebe6a87cd86fa62054f443221430e1c6f70a2475d6f335a
Opcode Fuzzy Hash: 61486b5163de5075055654226ebf7075b981f2771f565c3a2814147544d8603e
Instruction Fuzzy Hash: D461E230D0D6868FE74AE77488126A9BBA1FF16390F5802BDC059C71D3CF2EA846C765

Function 00007FF848E8366C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c5bcb6d3e2dd0785d73b38d48eac8490fbd3f4c0490a12be2e375e2b31659d
Instruction ID: 6aefb9a9f219318b5a572b7752b483ea305954d90a7fbcc0e692d0fd3ec35704
Opcode Fuzzy Hash: 14c5bcb6d3e2dd0785d73b38d48eac8490fbd3f4c0490a12be2e375e2b31659d
Instruction Fuzzy Hash: 6A516131908A5C8FDB58EB58D845BE9BBF1FB59310F0482AAD44DD3252DF34A9858F81

Function 00007FF848E88F6A Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72f510032890cf8f315eccec71a3731434ec323cd0e3c32d47e0e90ab3c2257
Instruction ID: 8e36f061574c1ce8e564affa7762e4b53d228a71fc380f3ec206b10833f05477
Opcode Fuzzy Hash: b72f510032890cf8f315eccec71a3731434ec323cd0e3c32d47e0e90ab3c2257
Instruction Fuzzy Hash: 4051F23090CA498FD749FB68D8456B87BE0FF56364F4481AED04DC7292DB38A846CB51

Function 00007FF848E87588 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a87fc06acc4ec9fe573fea166bc603eb4ba0b97f4ba5dec62869b2a34b32d3a
Instruction ID: a137471f771d4ddd31517d89ccbc969c6b701216d6915e54b4da05c17dcff189
Opcode Fuzzy Hash: 7a87fc06acc4ec9fe573fea166bc603eb4ba0b97f4ba5dec62869b2a34b32d3a
Instruction Fuzzy Hash: 97210F22E1DAE94FE756B73C68251BD7BB0FF96650B4801F7D088C7193EA285C088796

Function 00007FF848E805A0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1975c128742187d5f7d4a60c08bed45b8193ba40db182b9d48f9977b3eef08
Instruction ID: a6c5c9ae08063065f5418f563b9c4790ad252e1f07065940b19672a146e21813
Opcode Fuzzy Hash: dd1975c128742187d5f7d4a60c08bed45b8193ba40db182b9d48f9977b3eef08
Instruction Fuzzy Hash: 8B415521B1DD4A4FE398B63C885A67977D2FF85680F4840B9E48EC3296DE28AC428755

Function 00007FF848E80B5E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809bea0c2c29dfc95e001a7b70c42c483c2c55a6c4cbf00541c81fad984c70bf
Instruction ID: 58bd92159750bad4cde469d7e060c156e58599831592919ceef7373c99816c27
Opcode Fuzzy Hash: 809bea0c2c29dfc95e001a7b70c42c483c2c55a6c4cbf00541c81fad984c70bf
Instruction Fuzzy Hash: 30411720B1EA890FE389A73C5869279BBD1EF9A655F0801FFE04DC7297DE285C068311

Function 00007FF848E81495 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04982cd401b8f975c701d732f63a7a7bc6d65a8ac1fe99eb02bcc467271a883c
Instruction ID: ad07ef10ea07f4eb70620f7dc664189200570f3836334974ce3d4598fd730a55
Opcode Fuzzy Hash: 04982cd401b8f975c701d732f63a7a7bc6d65a8ac1fe99eb02bcc467271a883c
Instruction Fuzzy Hash: CA418C74A0CA5CCFDB98FF68C499BA97BE0FB25311F50416EE04AC3692CB759841CB41

Function 00007FF848E88131 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d8a37a8b05659efe2a0d914a232ae1e998e10ecdc035618569f092d907904e
Instruction ID: 9c80b637a0db3270bcc656d8ece3525b4380330077c7c78a42b0e0f811c25967
Opcode Fuzzy Hash: 74d8a37a8b05659efe2a0d914a232ae1e998e10ecdc035618569f092d907904e
Instruction Fuzzy Hash: F641C171A1C9199FEB84FB6888596BC7BF1FF58341F4401BAD40DD3292DF3898828B11

Function 00007FF848E804C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8737a0b9152d9251a634c6e22c3ee58da07e905f53a80437b5f27317e8a89264
Instruction ID: 62b9c69f97c1d194522ff5f96049fe3b0ba0addaae6b135184967ba0c70992e9
Opcode Fuzzy Hash: 8737a0b9152d9251a634c6e22c3ee58da07e905f53a80437b5f27317e8a89264
Instruction Fuzzy Hash: A331E220B1D94D5FE788FB2C946A379B6C2EB98755F0401BEE00EC32D7DE689C028341

Function 00007FF848E882F5 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5cddf0b0e31922404b08b3b2d1508e5e721084867a73d9d8be32965d53537f
Instruction ID: 9aa1b0a0638275223a3ee29b0ae8c6bb589cceb4e56fe47334e902e05f22b3d3
Opcode Fuzzy Hash: 2c5cddf0b0e31922404b08b3b2d1508e5e721084867a73d9d8be32965d53537f
Instruction Fuzzy Hash: C241F232C0DA9A5FE349A7249C561F97BA1FF46390F5401FAD44AC71D2DF2D28438786

Function 00007FF848E80E11 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56a6220fc8c86ce10b16b7a44265d097e5374e1f2820b953907c5a5e5f5986f
Instruction ID: 8d9e3de3fd9c75afe362f484c52ef99f40b16d522418874c26cf89b6dd36cdba
Opcode Fuzzy Hash: c56a6220fc8c86ce10b16b7a44265d097e5374e1f2820b953907c5a5e5f5986f
Instruction Fuzzy Hash: A431D221F1DD095FEB88B7AC581A3BDB7D2FF98791F0442B6E00DC3286DE2898014761

Function 00007FF848E80CC1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b0d370acf6b5b05d4a4c6098e3cff012b9964536f61b3f01211465af869eb8
Instruction ID: 64d7878268651d9e12c0f10941831d59848d1e2aaf9e68e9b655fd0b280e1de9
Opcode Fuzzy Hash: 84b0d370acf6b5b05d4a4c6098e3cff012b9964536f61b3f01211465af869eb8
Instruction Fuzzy Hash: 2341A130E1994E9FEB49FB7884556FDBBA1FF89300FA44179D049D3286DE3868018B64

Function 00007FF848E80E30 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a5081ccf1517fc3b6ff68cc850dc071fadb91fa1e91a4b9cb014d63743c9ba
Instruction ID: ef8c0d24026a0222912e42f3c387c108faca67aac2a113557c3fb7ddf9be3173
Opcode Fuzzy Hash: 07a5081ccf1517fc3b6ff68cc850dc071fadb91fa1e91a4b9cb014d63743c9ba
Instruction Fuzzy Hash: 6131D621F19D0D5FEB88B6BC581A3BDB6D2FF98791F544276E00DC3286DE2898014761

Function 00007FF848E8AB05 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27d80e6062009c246fdb62270ba330718ea07f760187c9fd94ad046c4f6b462
Instruction ID: 4b6b7e611e560561c4e03282f477156e1d5065d4058830f77ecb0bfeeb79a007
Opcode Fuzzy Hash: a27d80e6062009c246fdb62270ba330718ea07f760187c9fd94ad046c4f6b462
Instruction Fuzzy Hash: B931933140D7489FDB19DFA8D886AE9BBF0FF56320F0482AFD089C7552D764A44ACB51

Function 00007FF848E87FF9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71c7809496b0afe5bb9d2f854f3830f93fbbc96a806b616c152059caa34ff02
Instruction ID: eaa4797a4026d3751e01aaa45f7d699ec294e1082bf486e39a21fda98c9b8f8a
Opcode Fuzzy Hash: c71c7809496b0afe5bb9d2f854f3830f93fbbc96a806b616c152059caa34ff02
Instruction Fuzzy Hash: 4F31F830A0DE999FE746FB38C89556877E1FF16354B4401E6D448C7296CF38A851CB45

Function 00007FF848E88B31 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cc99e8c624dead5f227ca7512b2058df971729b2ac57e6f94cb16d40a911cc
Instruction ID: b7b0998eab7879d53f15a4701d1d4630c9b4b82378d69cfbdabacff318a2b901
Opcode Fuzzy Hash: 30cc99e8c624dead5f227ca7512b2058df971729b2ac57e6f94cb16d40a911cc
Instruction Fuzzy Hash: 3B31F171E0D9694FEB58AB2894996BDB7E0FF94391F44027ED80ED3282CF3958028745

Function 00007FF848E8A911 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be7e2f4b93787307d900f98879ef858839c3f7c909a2ab0e351b4c058c1edd7
Instruction ID: 3e547039595dd8da190b15b4bc86923527303448b4676cba2725b17366740dbc
Opcode Fuzzy Hash: 2be7e2f4b93787307d900f98879ef858839c3f7c909a2ab0e351b4c058c1edd7
Instruction Fuzzy Hash: 9F21C020A1CD59AEE749B76C58163B9B7C1FF58740FA441B5E04CC36C3CE6CA84187A6

Function 00007FF848E8135D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e4c07671e9c7ed8f3c045a818208d3e2d1db4036779fbf3a2984f124945556
Instruction ID: d3804ccfd2f66e071f38b288af5c921fd5792facdee3e3f40d0006172a2b255e
Opcode Fuzzy Hash: 94e4c07671e9c7ed8f3c045a818208d3e2d1db4036779fbf3a2984f124945556
Instruction Fuzzy Hash: 0011E430E0C6468FE365F77988551BD36A2BF81390F9940B9D00DCB5C6DF39E8428359

Function 00007FF848E812C1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691371dc3c46fee3d9149efdf36aa7db0f48f1c9203c6b2be0b24e227c900599
Instruction ID: 67015a0557f3060da80ac91ab50c3503b09cc8eb00ac48bbc0c6dfc29b308944
Opcode Fuzzy Hash: 691371dc3c46fee3d9149efdf36aa7db0f48f1c9203c6b2be0b24e227c900599
Instruction Fuzzy Hash: 5401D671D0CACD8FD78DFB3888691B97FE0EBA5205F9440AFC08AD7992DB3500448701

Function 00007FF848E89562 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82de98f6d9d00ad958a48d992c991915695825499dd1299d99e329d4b9a6687e
Instruction ID: 992679c5dd97b5156e918b5ecad4548663c1f70535b92a136cc654fecce23c17
Opcode Fuzzy Hash: 82de98f6d9d00ad958a48d992c991915695825499dd1299d99e329d4b9a6687e
Instruction Fuzzy Hash: E3118E21C0E6C94FDB53737458110ADBFA0BF43290F8805FBD099C74A3EA2E14098355

Function 00007FF848E87C21 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267b627fc00b0669fbfe0ed79610941d9739532d3ae8bba790e59604f85bc203
Instruction ID: 5bea41b5545c8d2ec71f1fd5c665cdeb911eb9c4152e04125ec428541a1aaca1
Opcode Fuzzy Hash: 267b627fc00b0669fbfe0ed79610941d9739532d3ae8bba790e59604f85bc203
Instruction Fuzzy Hash: F8010031D09A9D4FDB45EBA8881A1EE7BE0FF18640F4001ABD008D71A2EB2898448781

Function 00007FF848E8140D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be5d88f510fd8cd2df87d5c27f6fd03213a9be6aa4ec3f898d0c906aa13d388
Instruction ID: e94588746216a7e6a6b1ef1396540f45b381345967b8c15d864fb6644ae2fb30
Opcode Fuzzy Hash: 4be5d88f510fd8cd2df87d5c27f6fd03213a9be6aa4ec3f898d0c906aa13d388
Instruction Fuzzy Hash: 0B01F220E0E5968FF759B77844257BC2A91FF52380F9800F9E04DC72D7CE2E68458365

Function 00007FF848E8AA69 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595a27c8b83681e66e13e4b75ba453c1a8463490a2ec8312483deff33d1392c6
Instruction ID: 2b93f73891146c70427aff24ee80c801bcda13039c5dd0e47dce881c38f77eda
Opcode Fuzzy Hash: 595a27c8b83681e66e13e4b75ba453c1a8463490a2ec8312483deff33d1392c6
Instruction Fuzzy Hash: 34F0AF20F2CC0A4FFB98B62841066BD62C2FF883C5F809079D84EC3282DF38E8915749

Function 00007FF848E813B8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29f2c3fb3ed6e949b9e1e4aabda3f58d3117e8578dd7460bacf288fc49e07f2
Instruction ID: e040884c77a8149bffb9e64fe0dcce6c06796bb023cae5995e172511fcf772ed
Opcode Fuzzy Hash: d29f2c3fb3ed6e949b9e1e4aabda3f58d3117e8578dd7460bacf288fc49e07f2
Instruction Fuzzy Hash: C8F08C30D0C5029FE366FB29C48166D73A1BF953A4FA44678D00DC36C2DF3AF8528A94

Function 00007FF848E89615 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af04081515dc1daccd3bafca0fe8189f02215f06d4ae85a3ef75723c1d0f6160
Instruction ID: 81a1ee27ba1f6863163a3ac8636334e0e961785690e60828107b3bfb487a0b0c
Opcode Fuzzy Hash: af04081515dc1daccd3bafca0fe8189f02215f06d4ae85a3ef75723c1d0f6160
Instruction Fuzzy Hash: AAE09A61C0D7C90EDB13BB3408240A8BFB0FE12240F8D06DBE0A8C70A3D7A806288382

Function 00007FF848E81141 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a039e23deafb1cfe1cccc5a34e1219319c1e998a2de071f069005a236a4c9e4
Instruction ID: 08600aa59332f9b682aea84b5bd315b27649c0e7ba03170b8e8b9acc6a37ce39
Opcode Fuzzy Hash: 8a039e23deafb1cfe1cccc5a34e1219319c1e998a2de071f069005a236a4c9e4
Instruction Fuzzy Hash: F6E0C23286878C4FDB426B6068121DA7B24FF56204F4105CBF41887092E72096188392

Function 00007FF848E81284 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4475918537.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_7R4CQlalZQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5251c32a2b0b9d446a063586b8f4cb18d5d36aaca4ac62fae67612c0dafba7
Instruction ID: cdcd5924888db65c9b2310d853b8c765eb743e75f12555be898cd4bdf895f2b8
Opcode Fuzzy Hash: 3a5251c32a2b0b9d446a063586b8f4cb18d5d36aaca4ac62fae67612c0dafba7
Instruction Fuzzy Hash: 8CD01215C5D2C60EE70B33B81C565947F509F171A0F8902D1D454C74D3E95D549A4276

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7R4CQlalZQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
7R4CQlalZQ.exe