Edit tour

Windows Analysis Report
ent.exe

Overview

General Information

Sample name:	ent.exe
Analysis ID:	1436084
MD5:	211661398474b9c96a1d704823d0e552
SHA1:	5afcd1a87a69ea1c84a06fdf7079660133ceb28a
SHA256:	c43fa1f0bbfbb8f91d9a339b97922494bf790c6b58bf973b56836ef52a3196cd
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

ent.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\ent.exe" MD5: 211661398474B9C96A1D704823D0E552)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/XzLzRHpk", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ent.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
ent.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x97d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9870:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9985:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95ed:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4091153100.00000000029AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x95d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9670:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9785:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x93ed:$cnc4: POST / HTTP/1.1
Process Memory Space: ent.exe PID: 7488	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.ent.exe.670000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.ent.exe.670000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x97d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9870:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9985:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95ed:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 3.124.142.205 - Destination IP: 192.168.2.4

Timestamp:	05/03/24-19:09:49.210550
SID:	2852874
Source Port:	14771
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.4 - Destination IP: 3.124.142.205

Timestamp:	05/03/24-19:10:01.234928
SID:	2852923
Source Port:	49731
Destination Port:	14771
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 3.124.142.205

Timestamp:	05/03/24-19:08:04.180945
SID:	2853193
Source Port:	49731
Destination Port:	14771
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 3.124.142.205

Timestamp:	05/03/24-19:06:14.763593
SID:	2855924
Source Port:	49731
Destination Port:	14771
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 3.124.142.205 - Destination IP: 192.168.2.4

Timestamp:	05/03/24-19:10:01.234012
SID:	2852870
Source Port:	14771
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ent.exe

Avira: detected

Found malware configuration

Source: ent.exe

Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/XzLzRHpk", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for domain / URL

Source: 0.tcp.eu.ngrok.io

Virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for submitted file

Source: ent.exe	ReversingLabs: Detection: 71%
Source: ent.exe	Virustotal: Detection: 63%			Perma Link

Machine Learning detection for sample

Source: ent.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: ent.exe	String decryptor: https://pastebin.com/raw/XzLzRHpk
Source: ent.exe	String decryptor: <123456789>
Source: ent.exe	String decryptor: <Xwormmm>
Source: ent.exe	String decryptor: XWorm V5.2
Source: ent.exe	String decryptor: USB.exe

Source: ent.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: ent.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 3.124.142.205:14771
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 3.124.142.205:14771 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49731 -> 3.124.142.205:14771
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 3.124.142.205:14771 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 3.124.142.205:14771

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/XzLzRHpk

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 3.124.142.205:14771

Source: global traffic

HTTP traffic detected: GET /raw/XzLzRHpk HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 3.124.142.205 3.124.142.205

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw/XzLzRHpk HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: 0.tcp.eu.ngrok.io

Source: ent.exe, 00000000.00000002.4091153100.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ent.exe, 00000000.00000002.4091153100.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/XzLzRHpk

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: ent.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.ent.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\ent.exe	Code function: 0_2_00007FFD9BA271E6		0_2_00007FFD9BA271E6
Source: C:\Users\user\Desktop\ent.exe	Code function: 0_2_00007FFD9BA27F92		0_2_00007FFD9BA27F92

Source: ent.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ent.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.ent.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: ent.exe, HhJqaWbxad.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ent.exe, Hrb1QuEbdK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ent.exe, Hrb1QuEbdK.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: ent.exe, vWPhZKB0Lc87Y6KP7tFsNAYO1O35ROoxOSayV3Dtvx0DW23Gow7QMOZpkKYVpvHrFRb.cs

Base64 encoded string: 'p7c+DXj0CZbo/dmcMAy7DeHDb6pTBt54fWli7uuogaZDpvE4xCMR7owoR6r5ADrJ'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\ent.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ent.exe	Mutant created: \Sessions\1\BaseNamedObjects\QcrQZJqSSienf6lv

Source: ent.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ent.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ent.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ent.exe	ReversingLabs: Detection: 71%
Source: ent.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\ent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\ent.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: ent.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ent.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{vWPhZKB0Lc87Y6KP7tFsNAYO1O35ROoxOSayV3Dtvx0DW23Gow7QMOZpkKYVpvHrFRb._5z42eciGnDiLWwMMBrlAWBswMfErHYemxpk5xbkzsUAJ2LzOtbbbzt9EimE5fVdPwl4,vWPhZKB0Lc87Y6KP7tFsNAYO1O35ROoxOSayV3Dtvx0DW23Gow7QMOZpkKYVpvHrFRb._4FweWkquh3RvVKJQG2WtYmUmdu8wJY2B7vAfxG6ZRtvleUJoWxznbOn1Ah6F4qbXilU,vWPhZKB0Lc87Y6KP7tFsNAYO1O35ROoxOSayV3Dtvx0DW23Gow7QMOZpkKYVpvHrFRb._34o2CttlV6Z5OkTMkYtBjptFaD0JPPENJOwKyYGN5tbUlW8wJKOyfu1lUO6aDnBMFQ4,vWPhZKB0Lc87Y6KP7tFsNAYO1O35ROoxOSayV3Dtvx0DW23Gow7QMOZpkKYVpvHrFRb.ieeUdjFxCZ7E8rHqfvKJ0bv4jGCETNis5lRvdjSUOZJnajGR8WUPoldl6KUY18OeJlZ,Hrb1QuEbdK.MlmUwDx7TN()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{b5TtOv5X8T[2],Hrb1QuEbdK.IOdLpHuVBj(Convert.FromBase64String(b5TtOv5X8T[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { b5TtOv5X8T[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	.Net Code: PShk1H4H3Cyu00fmwuhvGxAgB27R8UwHEyB8qfYUPcAmYH7e6iutMwXa5dnqjVwqVGo System.AppDomain.Load(byte[])
Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	.Net Code: Y2Mr5BI7zz System.AppDomain.Load(byte[])
Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	.Net Code: Y2Mr5BI7zz

Source: ent.exe, a6ZWaVxrpCMZ1hn9IHtFLzJrzGCUusj4xnRO8lJqsFTaQyM8mMe7975yjs7MsuqDsYK.cs	High entropy of concatenated method names: 'kkTuPt2aSfUCWD5B9u719FiqGuU2H0tlMOTctub0gXBxLRAVaYutRsiLNOTcz2Vc7A1', 'xfaBbejgSA1KBfxRPJ3rNz4YXeaWeqc0jW5O191Zt7E7JRk7arZ0eVFtyieVZwXzKim', '_0b6u7rR6SPsTm22cukU6XX9oEmR1ixYnluAAyRkqq2XlCnRy0bzSjrvmKIIHUKe6apm', 'gJ80Ag8XtrZzoRlw19Yztu6e9vmbLyopjdxIRAeI1eQuC4ux1ykxCxc52LrERmEpEcm', 'u2HCKkSoVq', 'DtX22eLYGL', 'RoeZXxvKnD', 'gS5CgA3pGE', '_9WIfQAnvJE', 'BhhrquxyOz'
Source: ent.exe, xqYT7OUGqkqRwX29pnKgdR3LEd3UlR4s9VSWi0SJvmEDRqw0Iw95xtwXRJxwsvGOCcJ.cs	High entropy of concatenated method names: 'FkchzINObi4T7oxZuCB8j24vI6CulSUpdyOvxRjSCbedwBJ5SxoW9mDQKoMEcal28w3', 'PShk1H4H3Cyu00fmwuhvGxAgB27R8UwHEyB8qfYUPcAmYH7e6iutMwXa5dnqjVwqVGo', 'WD3mGYdUmHpZosDYWaKsoBneE26kDy6xUlygduPwTu2ZXUp19UrAA5DRuJtFaLn7zIn', 'mpWtboOENiPtar1dNoqyU6NbWJ3oj37LmBzKW6JEnhj9Fj60bRM00MFNoNeci0W8aoA', 'RrmZQ1TJSq', 'pWzBTmxAA6', 'iGDm6GEZ7l', 'NcYqpCtQcu', 'f8yXbUibfA', 'T7ZmhZebZ3'
Source: ent.exe, poLaxEtZwgWjBPprJIGiVujsCaD8XThBt7Ad3g4kmIDEodDDhnbw3JkjeiuvaRGiPWQ.cs	High entropy of concatenated method names: '_7PMKLeHBlFcGHzQCVJ9xYabzYVuZTqKDs9kFa0ug3Ru1aRqFwAZfTVIXTWgcdkB4pSo', 'N5u28MZ5bwkyHfwMMhTyAgycrDjtu86xIJTCZk89pPQFTsV4CyzgkYycOLOKkksTCeR', 'L7jyCVi5euMaY7Jiwv6iaemuomapDsvJVwesEUw31cWgyvFomFwD6w404om9qUhWdH4', 'VFn736wenLxHlGnjbr7GR3xR4sooT3qsTjFMY6i67XKfiNLHBdUdeWj50XroMZBtyCt', 'eDnaH3D3Bm9dbc1fU9n6zjECzRViAxcfLUWuruvBqi1rOd4ZTekn5E9Of54wC7UBdoS', 'INbBhmpDWjP3wyrKVQIGOR0NW2dstGLCN7ZALUOzqOunlSCPqnwuv8DtTCxnVkXjXAT', 'lfGaMQrlin5ASu3vWnUyHNg2CAsuyCXPo0eFiwOD88B9sMzSovaUcB87n8UUMuLGAf6', '_0vX86dMPIEdfKVnKTocYSgNJQMnPYcN4VsQV6IM7lGppUqWuvUzoYvQzu8672maMSCA', 'BJ1xITWc7eKFzdQzdtCbRaP6qOPqZmd972X2PlQP0fVqogtGnqQ5guemADvCRyzwLD3', 'rtwLn5eSeoUoip1FQfZPmOpJjPVd9yp8HS565jCa9yoTTI0u8InZ6mkWUTttOApq5Qw'
Source: ent.exe, Hrb1QuEbdK.cs	High entropy of concatenated method names: 'WVNyMtR6FD', 'TVRe3kgUUd', 'VUPphhmVqZ', 'gsNDkP6dMl', 'Q0Gkupd363', 'xQ1nFhHEXo', 'hI6pAbL93m', 'Q9gcRMjZdp', 'KRxiYFs0Hp', 'mjRPqfKrDa'

Source: C:\Users\user\Desktop\ent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ent.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\ent.exe	Memory allocated: 2780000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	Memory allocated: 1A960000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\ent.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ent.exe

Window / User API: threadDelayed 9757

Jump to behavior

Source: C:\Users\user\Desktop\ent.exe TID: 7644	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe TID: 7648	Thread sleep count: 9757 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ent.exe TID: 7648	Thread sleep count: 94 > 30	Jump to behavior

Source: C:\Users\user\Desktop\ent.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ent.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\ent.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ent.exe, 00000000.00000002.4090588162.0000000000C64000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4

Source: C:\Users\user\Desktop\ent.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ent.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: ent.exe, 00000000.00000002.4091153100.00000000029E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: ent.exe, 00000000.00000002.4091153100.00000000029E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ent.exe, 00000000.00000002.4091153100.00000000029E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: ent.exe, 00000000.00000002.4091153100.00000000029E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: ent.exe, 00000000.00000002.4091153100.00000000029E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\ent.exe

Queries volume information: C:\Users\user\Desktop\ent.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ent.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ent.exe, 00000000.00000002.4090588162.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, ent.exe, 00000000.00000002.4092336993.000000001B5F3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\ent.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: ent.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ent.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4091153100.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ent.exe PID: 7488, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: ent.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ent.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4091153100.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ent.exe PID: 7488, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ent.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
ent.exe	64%	Virustotal		Browse
ent.exe	100%	Avira	HEUR/AGEN.1305769
ent.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
0.tcp.eu.ngrok.io	16%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	172.67.19.24	true	false		high
0.tcp.eu.ngrok.io	3.124.142.205	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/XzLzRHpk	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ent.exe, 00000000.00000002.4091153100.0000000002961000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.19.24	pastebin.com	United States		13335	CLOUDFLARENETUS	false
3.124.142.205	0.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436084
Start date and time:	2024-05-03 19:05:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ent.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 47 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ent.exe, PID 7488 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:06:01	API Interceptor	11053798x Sleep call for process: ent.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.19.24	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
172.67.19.24	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
3.124.142.205	xaa.doc.docx	Get hash	malicious	CVE-2021-40444	Browse	259f-88-231-63-13.eu.ngrok.io/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	BTUJ5A5J3m.exe	Get hash	malicious	LimeRAT	Browse	172.67.19.24
	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.4.235
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	104.20.3.235
	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	172.67.19.24
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	104.20.3.235
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	104.20.4.235
	G1lnGpOLK4.exe	Get hash	malicious	Njrat	Browse	104.20.3.235
	[V2]launcher.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	104.20.3.235
	0ED4nPDjeo.exe	Get hash	malicious	RedLine, SectopRAT	Browse	104.20.3.235
	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	104.20.4.235
0.tcp.eu.ngrok.io	G1lnGpOLK4.exe	Get hash	malicious	Njrat	Browse	18.192.31.165
	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	3.124.142.205
	MFs7p6ab7w.exe	Get hash	malicious	Njrat	Browse	18.192.31.165
	jpGSWjSTSw.exe	Get hash	malicious	Njrat	Browse	3.124.142.205
	KvS2rT08PQ.exe	Get hash	malicious	Blank Grabber, Njrat, Umbral Stealer	Browse	18.158.249.75
	lLX6Po7hFJ.exe	Get hash	malicious	Nanocore	Browse	3.125.223.134
	aXDh3Stgy2.exe	Get hash	malicious	Njrat	Browse	18.158.249.75
	9VnALqFMbF.exe	Get hash	malicious	DarkComet	Browse	3.125.209.94
	AKsHpy5O2W.exe	Get hash	malicious	Njrat	Browse	3.125.223.134
	D6p5mclMzu.exe	Get hash	malicious	Njrat	Browse	3.124.142.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Scanned from Xerox KwlawMultiftr.rtf	Get hash	malicious	HTMLPhisher	Browse	108.138.128.21
	Doc Copy - McCoy Electric Co. Inc - RNP5838793A8439.msg	Get hash	malicious	HTMLPhisher	Browse	52.59.165.42
	https://cabinetlds-my.sharepoint.com/:b:/p/olivier_renard/EVpDRDG2GJRJqC-6mNZE75kBNXQtv2TSFCkPPCWDeaZa-w?e=qfkgyD	Get hash	malicious	HTMLPhisher	Browse	108.138.128.26
	https://dweb.link/ipfs/bafkreihtggm5lijbcmgnngp56fgtaxfzglditdvyi6vhk6v4yi5nmurq2u?filename=Login.html#pharmacovigilance@daiichi-sankyo.co.uk	Get hash	malicious	Unknown	Browse	52.25.234.254
	https://preview.webflow.com/preview/87665784?utm_medium=preview_link&utm_source=designer&utm_content=87665784&preview=14c6c58eb6f79601a2f74a0af8d58b28&workflow=preview	Get hash	malicious	Unknown	Browse	13.225.63.33
	scanned fax.docx	Get hash	malicious	Unknown	Browse	54.231.134.48
	scanned fax.docx	Get hash	malicious	Unknown	Browse	52.217.121.184
	http://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:3a03de0d-9ad9-478c-a00b-f8cf4aad7ad9	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	108.138.128.75
	citat #05022024.xla.xlsx	Get hash	malicious	Unknown	Browse	76.76.21.21
	citat #05022024.xla.xlsx	Get hash	malicious	Unknown	Browse	76.76.21.21
CLOUDFLARENETUS	BTUJ5A5J3m.exe	Get hash	malicious	LimeRAT	Browse	172.67.19.24
	http://88mansession.com	Get hash	malicious	Unknown	Browse	104.21.33.162
	https://www.billinginquiry.dfinsolutions.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	Scanned from Xerox KwlawMultiftr.rtf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Purchase_Order_1803075641.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Doc Copy - McCoy Electric Co. Inc - RNP5838793A8439.msg	Get hash	malicious	HTMLPhisher	Browse	162.159.128.70
	http://www.maxottawa.ca	Get hash	malicious	Unknown	Browse	172.67.185.53
	https://cabinetlds-my.sharepoint.com/:b:/p/olivier_renard/EVpDRDG2GJRJqC-6mNZE75kBNXQtv2TSFCkPPCWDeaZa-w?e=qfkgyD	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Order PS24S0040.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://dweb.link/ipfs/bafkreihtggm5lijbcmgnngp56fgtaxfzglditdvyi6vhk6v4yi5nmurq2u?filename=Login.html#pharmacovigilance@daiichi-sankyo.co.uk	Get hash	malicious	Unknown	Browse	104.18.31.187

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Order PS24S0040.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.19.24
	reports_239900.html	Get hash	malicious	Unknown	Browse	172.67.19.24
	FATURA VE BELGELER..exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.19.24
	1110022.vbs	Get hash	malicious	AgentTesla	Browse	172.67.19.24
	Odeme -(Mayis).lnk.lnk	Get hash	malicious	XenoRAT	Browse	172.67.19.24
	http://url9823.ville.labrecque.qc.ca	Get hash	malicious	Unknown	Browse	172.67.19.24
	tt receipts.exe	Get hash	malicious	DarkTortilla	Browse	172.67.19.24
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.19.24
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	172.67.19.24
	Eurovisioner.exe	Get hash	malicious	GuLoader	Browse	172.67.19.24

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.917434667430469
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ent.exe
File size:	45'056 bytes
MD5:	211661398474b9c96a1d704823d0e552
SHA1:	5afcd1a87a69ea1c84a06fdf7079660133ceb28a
SHA256:	c43fa1f0bbfbb8f91d9a339b97922494bf790c6b58bf973b56836ef52a3196cd
SHA512:	51717923b8d063874d5216db14adbe506826715773845c17961c5e52ed072380ea8b9b75d55559f855e6f42c35c8dd984c055eb3d1f7bec02c62463423c96666
SSDEEP:	768:trlZa605WoOu+tpBERbGTHDUgkbZCfr2A33O3sh0l0E:tfq0u+tpKbAjXkbZCjjO3s60E
TLSH:	57137C0C73B44226D1FE1BF429B222429239E6175913EB5F68C951DB6B63FCCCA107E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5f................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40c4ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6635170C [Fri May 3 16:55:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc49c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x4be	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa4f4	0xa600	115d774bbc546c22c68c84bcb27d6fab	False	0.583019578313253	data	6.0441803608179345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x4be	0x600	1a10ebe532adeeda0407f6806baac2de	False	0.3697916666666667	data	3.677404346999089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	4a4ab37a5b11d854015ffe1e4f9055da	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x234	data			0.46808510638297873
RT_MANIFEST	0xe2d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/24-19:09:49.210550	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	14771	49731	3.124.142.205	192.168.2.4
05/03/24-19:10:01.234928	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49731	14771	192.168.2.4	3.124.142.205
05/03/24-19:08:04.180945	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49731	14771	192.168.2.4	3.124.142.205
05/03/24-19:06:14.763593	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49731	14771	192.168.2.4	3.124.142.205
05/03/24-19:10:01.234012	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	14771	49731	3.124.142.205	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 19:06:01.441291094 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.441319942 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:01.441390991 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.477689028 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.477710009 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:01.666747093 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:01.666920900 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.670366049 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.670372009 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:01.670743942 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:01.711657047 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.726829052 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:01.772123098 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:02.299001932 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:02.299115896 CEST	443	49730	172.67.19.24	192.168.2.4
May 3, 2024 19:06:02.299197912 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:02.316203117 CEST	49730	443	192.168.2.4	172.67.19.24
May 3, 2024 19:06:02.535470009 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:02.703926086 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:02.704015970 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:02.860315084 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:03.028669119 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:14.763592958 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:14.932058096 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:15.035603046 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:15.086685896 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:15.105622053 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:15.273937941 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:19.211822033 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:19.258584976 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:26.693331957 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:26.862231970 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:26.962575912 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:26.964534998 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:27.132930994 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:38.587523937 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:38.755841017 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:38.895942926 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:38.897958040 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:39.069092989 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:49.215188026 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:49.258624077 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:50.493331909 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:50.663716078 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:50.762104988 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:06:50.764729023 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:06:50.933073044 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:02.399717093 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:02.568389893 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:02.705624104 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:02.709378004 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:02.877757072 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:14.305824995 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:14.474236965 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:14.577270031 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:14.579015970 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:14.747353077 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:19.221663952 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:19.305649042 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:20.805838108 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:20.974375963 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:21.075030088 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:21.076677084 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:21.246185064 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:25.478203058 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:25.646962881 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:25.759680033 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:25.761686087 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:25.930526018 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:31.337400913 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:31.505932093 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:31.710369110 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:31.712431908 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:31.884341002 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:35.337398052 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:35.506159067 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:35.605715036 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:35.639215946 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:35.807719946 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:41.524646997 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:41.692904949 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:41.696078062 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:41.795049906 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:41.867156982 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:41.868036032 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:41.964251995 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:42.037652016 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:42.037704945 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:42.206346035 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:46.665231943 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:46.834966898 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:46.835176945 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:46.932305098 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:46.977431059 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:47.003573895 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:47.003671885 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:47.102581978 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:47.152782917 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:47.172184944 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:47.177923918 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:47.346378088 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:49.201545000 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:49.243046999 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:51.602747917 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:51.771555901 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:51.871520042 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:51.875624895 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:52.044127941 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:54.884119987 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:55.052714109 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:55.150727987 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:55.182379961 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:55.351406097 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:56.977843046 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:57.146271944 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:57.246676922 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:07:57.252185106 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:07:57.420583963 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:04.180944920 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:04.350425959 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:04.350471973 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:04.449817896 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:04.520759106 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:04.520807981 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:04.618180990 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:04.689158916 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:04.689208984 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:04.858366966 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:14.477853060 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:14.647212982 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:14.746824980 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:14.750166893 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:14.918684959 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:19.220877886 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:19.352488995 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:26.384044886 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:26.552395105 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:26.717139959 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:26.729109049 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:26.897480011 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:29.618522882 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:29.787108898 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:29.787276983 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:29.917392969 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:29.955713987 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:29.955780029 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:30.054119110 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:30.124083042 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:30.124229908 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:30.292639017 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:30.297983885 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:30.466213942 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:30.565696955 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:30.573364973 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:30.743231058 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:30.744071960 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:30.913408041 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:31.043236017 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:31.045202971 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:31.213532925 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:39.727808952 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:39.896528006 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:39.896743059 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:40.024111986 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:40.065057993 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:40.065124035 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:40.169743061 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:40.233442068 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:40.233489990 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:40.401748896 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:49.207017899 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:49.352504969 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:51.665378094 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:51.834018946 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:51.932565928 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:08:51.934417963 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:08:52.102782965 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:01.759079933 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:01.927357912 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:01.927429914 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.030915022 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.030976057 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.095726013 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.095779896 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.199671984 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.211111069 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.221616983 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.221818924 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.238217115 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.240020990 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.241189957 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.290097952 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.305913925 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.306082964 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.371447086 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.371735096 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.383320093 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.383868933 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.390353918 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.396513939 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.409670115 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.482754946 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.527996063 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:02.553911924 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.605139971 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:02.848850965 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:03.017091990 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:03.868465900 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:04.036974907 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:07.196599007 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:07.364928007 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:07.364980936 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:07.465553045 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:07.534437895 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:07.534495115 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:07.642039061 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:07.705773115 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:07.705821991 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:07.874130964 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:17.306077003 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:17.474376917 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:17.474431992 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:17.579298973 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:17.642735004 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:17.642807007 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:17.742445946 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:17.811132908 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:17.899420023 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:18.922750950 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:19.091064930 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:19.221473932 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:19.303075075 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:20.759233952 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:20.927797079 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:21.026738882 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:21.028320074 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:21.197005033 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:21.978141069 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:22.147423983 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:22.269120932 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:22.273937941 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:22.442552090 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:22.587382078 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:22.755712032 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:22.837929964 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:22.879359961 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:23.006527901 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:23.006805897 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:23.105736017 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:23.175081015 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:23.175122023 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:23.343550920 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:23.915349960 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:24.083857059 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:24.185548067 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:24.189941883 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:24.358247995 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:25.603199005 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:25.773000956 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:25.872438908 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:25.874485970 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:26.044081926 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:26.292094946 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:26.460401058 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:26.559017897 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:26.561697006 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:26.730025053 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:29.243607044 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:29.413829088 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:29.510481119 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:29.512882948 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:29.681278944 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:31.462300062 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:31.630637884 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:31.734321117 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:31.736082077 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:31.904411077 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:38.180951118 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:38.349837065 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:38.449337006 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:38.454061985 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:38.623610973 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:41.134041071 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:41.302278042 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:41.402260065 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:41.403629065 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:41.572606087 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:46.587440968 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:46.755743027 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:46.856673002 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:46.858309031 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:47.028500080 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:49.210550070 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:49.292032003 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:51.087539911 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:51.256817102 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:51.362943888 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:51.368088007 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:51.538621902 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:51.556117058 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:51.724380970 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:51.828964949 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:51.836138010 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:52.004435062 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:54.712234020 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:54.881592035 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:54.991756916 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:54.994393110 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:09:55.163300991 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:09:59.931111097 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:00.099966049 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.100022078 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:00.200278044 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.268377066 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.272119045 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:00.367611885 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.379245043 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.380127907 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:00.440474033 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.442015886 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:00.550519943 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.610377073 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:00.964977026 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:01.133480072 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:01.234011889 CEST	14771	49731	3.124.142.205	192.168.2.4
May 3, 2024 19:10:01.234927893 CEST	49731	14771	192.168.2.4	3.124.142.205
May 3, 2024 19:10:01.403354883 CEST	14771	49731	3.124.142.205	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 19:06:01.296482086 CEST	58651	53	192.168.2.4	1.1.1.1
May 3, 2024 19:06:01.386296988 CEST	53	58651	1.1.1.1	192.168.2.4
May 3, 2024 19:06:02.441200972 CEST	64658	53	192.168.2.4	1.1.1.1
May 3, 2024 19:06:02.533694983 CEST	53	64658	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 19:06:01.296482086 CEST	192.168.2.4	1.1.1.1	0x378	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
May 3, 2024 19:06:02.441200972 CEST	192.168.2.4	1.1.1.1	0x603	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 3, 2024 19:06:01.386296988 CEST	1.1.1.1	192.168.2.4	0x378	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
May 3, 2024 19:06:01.386296988 CEST	1.1.1.1	192.168.2.4	0x378	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
May 3, 2024 19:06:01.386296988 CEST	1.1.1.1	192.168.2.4	0x378	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
May 3, 2024 19:06:02.533694983 CEST	1.1.1.1	192.168.2.4	0x603	No error (0)	0.tcp.eu.ngrok.io	3.124.142.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.19.24	443	7488	C:\Users\user\Desktop\ent.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 17:06:01 UTC	74	OUT	GET /raw/XzLzRHpk HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-03 17:06:02 UTC	388	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 17:06:02 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Fri, 03 May 2024 17:06:02 GMT Server: cloudflare CF-RAY: 87e1d6d9792e8c41-EWR
2024-05-03 17:06:02 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 34 37 37 31 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:14771
2024-05-03 17:06:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	19:05:51
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\ent.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ent.exe"
Imagebase:	0x670000
File size:	45'056 bytes
MD5 hash:	211661398474B9C96A1D704823D0E552
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4091153100.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1610301643.0000000000672000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD9BA271E6 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8aefdecbc1099eb12ff9c92bf4e020e181c2b0031993fac7deafaece602086f
Instruction ID: 24042a2c7c7b7afc2e85615c6e2b4c85cfa021bb18f209e57075cbbe168b2804
Opcode Fuzzy Hash: d8aefdecbc1099eb12ff9c92bf4e020e181c2b0031993fac7deafaece602086f
Instruction Fuzzy Hash: E6F1B630A09A4E8FEBA8DF28C8557E977D1FF54310F04426EE85DC7295CB749E458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA27F92 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa427dcd7fb42de5750c7f47e72ec2c1911cb9304332f766c28147e4ccb868d
Instruction ID: ca3d4eba92df006331ae606bd017a729aa03a417688a48047a0a9a3850d3f986
Opcode Fuzzy Hash: 8aa427dcd7fb42de5750c7f47e72ec2c1911cb9304332f766c28147e4ccb868d
Instruction Fuzzy Hash: 5BE1E530A09A4E8FEBA8DF28C8657E977D1FF54310F14426EE84DC72A5DF74A9448B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA227C8 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

{K_H, xrefs: 00007FFD9BA2A971

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: {K_H
API String ID: 0-2760970905
Opcode ID: 0aad162cfa76249239a531c8ca14454b5773bcb58d8bd070cc0d7d28aa3d5598
Instruction ID: fcc25bcdbed5f6bbb68add2043ca738bd571ac4a577fe51d5ae8dcc7391a7fae
Opcode Fuzzy Hash: 0aad162cfa76249239a531c8ca14454b5773bcb58d8bd070cc0d7d28aa3d5598
Instruction Fuzzy Hash: A4D1D171B5D91E4FD7A8EB2CC4A5AA973D2FF58310B4205BDE05EC72A6CE24AD418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA28C49 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9BA28CAA

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: ed6319ac8bf60cba83fffc7ee5b7cd60ca2fb3964d5eefdf60605e31b8f6cd06
Instruction ID: 65116a4831d415bad950d981283737cd55fc8ab26c079001f83041a662b96af9
Opcode Fuzzy Hash: ed6319ac8bf60cba83fffc7ee5b7cd60ca2fb3964d5eefdf60605e31b8f6cd06
Instruction Fuzzy Hash: 60310A30A4E9899FDB56EB3CC8A5A683BF0FF16710B0501AAD448C72E3CF38A841C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA214D3 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

/L_^, xrefs: 00007FFD9BA21501

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: /L_^
API String ID: 0-291842488
Opcode ID: c87386f96dc5b50416aa5dd6045748a699c927315d0383e908bfdc2fc68c02d5
Instruction ID: 9a7bdc9e091d91f0fd648f606863dcda45ad50294d8756936833c1d3204527c4
Opcode Fuzzy Hash: c87386f96dc5b50416aa5dd6045748a699c927315d0383e908bfdc2fc68c02d5
Instruction Fuzzy Hash: A8213893F0E68B4BFF6657A898724B43BC1DF7665070A40B7D4AE8F0E3DD04AA058352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA22E2D Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

['L_^, xrefs: 00007FFD9BA22E66

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: ['L_^
API String ID: 0-4126013399
Opcode ID: d6a2ca026dcbaab69e21b42571feb9de88a77c13b4fd14ee70f32dd4ef356dff
Instruction ID: eee93f23be7435d942d588ca3dcb3e138ae99a57027a94b0c5f9ac744c5b8a35
Opcode Fuzzy Hash: d6a2ca026dcbaab69e21b42571feb9de88a77c13b4fd14ee70f32dd4ef356dff
Instruction Fuzzy Hash: C1310B21F4E74A4BE775B7B884722B83791AF95314F510079E40DC72E7DEACE9428342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA28931 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BA289A3

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: e93b895cc9934083cd47b2a2b563b9379e5c7eaee00342b3b1e0a797a76a5b7b
Instruction ID: a145bfa611f9c47036e95db4c035417dc91de8a1ccc36ff6455ca6e3cdca0efc
Opcode Fuzzy Hash: e93b895cc9934083cd47b2a2b563b9379e5c7eaee00342b3b1e0a797a76a5b7b
Instruction Fuzzy Hash: B5210731D4E25E4FEB10ABE4C8166EDBBF0EF45320F0501BBE588D31A2DB6C99408792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2A957 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

{K_H, xrefs: 00007FFD9BA2A971

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: {K_H
API String ID: 0-2760970905
Opcode ID: 09130f748b553432923de8c6ab71abb600e5951ddc1246676c892a449b6c56d7
Instruction ID: 70bea0d8c20702f448789f0a39358a07591c29f33ecf9a32475b053887a12ef2
Opcode Fuzzy Hash: 09130f748b553432923de8c6ab71abb600e5951ddc1246676c892a449b6c56d7
Instruction Fuzzy Hash: 0C11E572B5CA1E4FCB64EB2C94A05A9F3D1FBA831471006BED44EC729ADE20EC018780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA22E88 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

['L_^, xrefs: 00007FFD9BA22E66

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: ['L_^
API String ID: 0-4126013399
Opcode ID: 63dc4b653cb4132a4c668c91333703be1ad40a7213c70f8d3a1b52d2b998f10a
Instruction ID: 7fa45650ccf5f59953e09b20b133fd15e96ed06a3603b51d16763ba46bcd3446
Opcode Fuzzy Hash: 63dc4b653cb4132a4c668c91333703be1ad40a7213c70f8d3a1b52d2b998f10a
Instruction Fuzzy Hash: AEF0AF31F4D65E8FE375EBA8C4616B837A1AF94320F910639D01DC32E6DE78B9429780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2AC70 Relevance: 1.1, Instructions: 1053COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb309fb71024704908f6addcdd068898a2d34b2b5a0c3480de2bb589cca1f2f7
Instruction ID: c9d5ec8a8469f7acb13a90d9c0ddc8465bd7d57f75144309c7034d98b766d197
Opcode Fuzzy Hash: eb309fb71024704908f6addcdd068898a2d34b2b5a0c3480de2bb589cca1f2f7
Instruction Fuzzy Hash: C1114C25A4EA8D5FDB12B7B888214E87B90FF01214F4503B7D42DC30E7EE2966544382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA23188 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96113693097890319f0538462dc239616eae73eeef4ea6c68f86ccb345d6154f
Instruction ID: 1d3ce46a499d8c1f570cf737df3e71cb3b52f659a7877c20e33e7ce930d529f9
Opcode Fuzzy Hash: 96113693097890319f0538462dc239616eae73eeef4ea6c68f86ccb345d6154f
Instruction Fuzzy Hash: 14C15921F0DA8A0FE769977C48752B97BD2EF96220F1502FED45EC32DBDD6868028341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA23601 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24c3b353e51635ce2b858812e4f9e92ee821cf8455073349556bad9a823fbbf
Instruction ID: bb08e784872b1f1d92a7fdafcb9ee4f12f9665cdf36cd473d6eeeb438d1d0db6
Opcode Fuzzy Hash: b24c3b353e51635ce2b858812e4f9e92ee821cf8455073349556bad9a823fbbf
Instruction Fuzzy Hash: D0B1892072D90A4FE788B77C8875BB9B2D6EF94300F5505BAE41EC32E7CD596D428742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA27BA6 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8dee39fa126ae6e8d486a05839154f15f761f58ed2539f98a598d603f70ef9
Instruction ID: 151e886ee4910dd163c341732a851ab80cbecd690b166514efffc41041a6aa9f
Opcode Fuzzy Hash: 2d8dee39fa126ae6e8d486a05839154f15f761f58ed2539f98a598d603f70ef9
Instruction Fuzzy Hash: 47B1A430609A4D4FEB69DF28C8657F93BE1FF55310F04426EE84DC7296CA74AE458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA291FA Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40590ed845d5c190128d8eb8a905aa598706a9127bc0a83dbfb224caf9e581b5
Instruction ID: adcd31196be5b647b8056af9001d3bffc9942db71e70687afb3a0a5d3cde16c9
Opcode Fuzzy Hash: 40590ed845d5c190128d8eb8a905aa598706a9127bc0a83dbfb224caf9e581b5
Instruction Fuzzy Hash: 02312422B0EA4E0EE7559B6898B51ED7FB1EF95210F4602BAC049C71E7CD552906C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA291F8 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df7f6b7f721b91ebd60a6c299e02e62cfe837008b936cc8b76960b2b9f20205
Instruction ID: 6b206b436fbc05d05dcb81f645a1a1bfd6367f2288309684dc748954adcc6083
Opcode Fuzzy Hash: 8df7f6b7f721b91ebd60a6c299e02e62cfe837008b936cc8b76960b2b9f20205
Instruction Fuzzy Hash: 47311322F4EA8E0FEB559BA898B95FD7BB1EF95210F4602BAC049C71E7CD552906C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA29208 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca58725b5ebd3a11a40c34e4d51d054bcf199b5a039133e1291fc504692e07c
Instruction ID: 6dfc8f5eca4c67cb240b25a5e6d4a9c4dc9b6d6af2dde6d8b47b773f31dcf732
Opcode Fuzzy Hash: 4ca58725b5ebd3a11a40c34e4d51d054bcf199b5a039133e1291fc504692e07c
Instruction Fuzzy Hash: C0310422F0EA4E0FEB559BA898B55FD7BB2EF95210F4602BAC049D71E7CD552905C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA29218 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7046185b13fee085859833b8c53af4f138a2a52e394a80d78b4513dfa2d8092
Instruction ID: 976a8fde0c59aa9f13709214438c771aedd90a2be804b498c8c2b9810d5ddf0c
Opcode Fuzzy Hash: b7046185b13fee085859833b8c53af4f138a2a52e394a80d78b4513dfa2d8092
Instruction Fuzzy Hash: D431E122B0EA4E0FEB55E7A898B55FD7BB2EF85210F4602BAC049D71E6CD552905C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20915 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af47860ead0b9e80190e1d8a906acb4970e9ec585ee6ee4f1dafa07d6f88817
Instruction ID: c4afc03e8a4af2c8d427d412fd07928a57f151e58e365b44f9265f99bd6ee14c
Opcode Fuzzy Hash: 3af47860ead0b9e80190e1d8a906acb4970e9ec585ee6ee4f1dafa07d6f88817
Instruction Fuzzy Hash: 8481F421B5994E0FDBA8AB7888795F9B6E2FF58304B4145BDE01EC32E7DE696900C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA299DD Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7995cb64a5ec8564b2993cce80c10701764f99b5ea0abe00b53a0fe5d5dee6b
Instruction ID: 13a514f133b3e371b47c58e9d12ceb9667f108437d8c5e45b1ba3a7c4868d465
Opcode Fuzzy Hash: e7995cb64a5ec8564b2993cce80c10701764f99b5ea0abe00b53a0fe5d5dee6b
Instruction Fuzzy Hash: 96711731B5D94C4FDB68EB7898A96F977E1EF59310F0501BAE00DD32E2CD68A942C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA294BE Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4dbf354139648f0dcf7644742dd63f22a2fb226cb6f53eac8fafd37ed7b1dbe
Instruction ID: 799b11192ae075dbb3cef8fc85e8c72570756a9c214f5e017a67ceb9e94f96d9
Opcode Fuzzy Hash: d4dbf354139648f0dcf7644742dd63f22a2fb226cb6f53eac8fafd37ed7b1dbe
Instruction Fuzzy Hash: 7D713671F4E94E4FE758EB7988A96A4B7D1FF04710F4502B9D00DC31E6DE68A94AC381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA29751 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d69be1ba382dda03c357ae584e7c55ea33214f05515b52c00445382a067d96f
Instruction ID: 8e6a24bdfb4cc2acd644614d7a6bb98f31f78a03af7791abd9373852de2d8d1c
Opcode Fuzzy Hash: 7d69be1ba382dda03c357ae584e7c55ea33214f05515b52c00445382a067d96f
Instruction Fuzzy Hash: 04719230F5990E4FEBA4EF68C869AB877E1FF58700F5541B9E00DC32A6CE68A941C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA29A30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6403ff6c181a54eba96a59850064aaf08961e8d8ac455d6ff38a7f974c2ff88d
Instruction ID: 6bc768a93e7e795187ac3460b771cb377867d749110c347ffb191077ee6b9728
Opcode Fuzzy Hash: 6403ff6c181a54eba96a59850064aaf08961e8d8ac455d6ff38a7f974c2ff88d
Instruction Fuzzy Hash: F661A431B1990D4FDBA8EB68C4A9ABDB7E1EF98710F150179E40ED32E6CE64AC41C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA29FCA Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbdfe4e5af80ceca188227a529f61264a6b7890af37791f2df3f966f78ab9df
Instruction ID: 7191abd17758f65ebd22c1f6aa90d8f12ef9e5a2997657a27e8204a00255cffe
Opcode Fuzzy Hash: bbbdfe4e5af80ceca188227a529f61264a6b7890af37791f2df3f966f78ab9df
Instruction Fuzzy Hash: A4612531A0D64D8FD759DBB8C829AB87BE0EF55320F0541BED049C71E2DB786846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA28A1D Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc51d0ac1ad6dd373da556095876f0b5937441f1694ae38fc3d75c4d20239032
Instruction ID: 090d1e8d304956e475094667e92395cabe7755191ef7b632c2ba798cc3bd5b1a
Opcode Fuzzy Hash: bc51d0ac1ad6dd373da556095876f0b5937441f1694ae38fc3d75c4d20239032
Instruction Fuzzy Hash: D951C730A18A0C4FDB58EF68D895BEDBBF1FF58310F1042AAD44DD3296CA74A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA23D3D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239ca8d2141117b190174c48af76a3a2a37c4d193518409c228860635a6ac8b2
Instruction ID: 680de4b469f740f1f8704fe6034ac274a4ff8776435947e81d4ce41bc4fb7ba9
Opcode Fuzzy Hash: 239ca8d2141117b190174c48af76a3a2a37c4d193518409c228860635a6ac8b2
Instruction Fuzzy Hash: 80516130A18A0D8FDB58EF58D895BEDBBF1FF59310F1042AAD44DD3296CA74A845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA24ADC Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5184c44d5e761e91c323b3d1913a897fd5de73229e309220bce48c9f89f246
Instruction ID: 7615d2668e628afa49ccef3a958a501b26f0aae50a446157453ccb87ddbb8cda
Opcode Fuzzy Hash: 4c5184c44d5e761e91c323b3d1913a897fd5de73229e309220bce48c9f89f246
Instruction Fuzzy Hash: 4E518431A08A1C8FDB68DF58D855BE9BBF1FF59310F1082AAD40DD3256CE74A9848F81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA22835 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645854ac407ddf4c7d638b3507f178a8b8bde2003d1756cb292e8241e5e98431
Instruction ID: e63a9c3511785accff4f0e6cdf3188f9c7a05ec9542302eb5b75741c27c0bf3b
Opcode Fuzzy Hash: 645854ac407ddf4c7d638b3507f178a8b8bde2003d1756cb292e8241e5e98431
Instruction Fuzzy Hash: FE513712B0D26715E31777FCB4B2DFC2B40DF81371B0A02BAD59E890E79D07244A86A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA22EDD Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56da7e4887321e9031c81158e9dd0baf1cc7e8139934d89f41fae35adba137cc
Instruction ID: 3093e14e64808c5c1f2f3907ed9658cff79b20e6627193e29b07d336b9aebbd3
Opcode Fuzzy Hash: 56da7e4887321e9031c81158e9dd0baf1cc7e8139934d89f41fae35adba137cc
Instruction Fuzzy Hash: CC51A074A0DA5D8FEBA8EF68D465AB977E0FF59301F00417ED00AD36A2CB75A841CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA28D81 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af9111835d022d4963b5266ae68ffb0dd5ec6de3bc741bbc4b88c49dd8b4fa3
Instruction ID: 9dd514c84d6b575d269b242097b8b11ee0e9b037340e80187555a897b1603c5f
Opcode Fuzzy Hash: 1af9111835d022d4963b5266ae68ffb0dd5ec6de3bc741bbc4b88c49dd8b4fa3
Instruction Fuzzy Hash: FC41B271B4994D4FEB94EBA884A96FC7BF1FF59310B0505BAE40DD32A2DF3898418740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20D41 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deef4b9a3e99c28eed4d9b581d08744139dcfcd4d9caf66ef1311bc4bbc25cb
Instruction ID: b6ab2a439a6fd6917df74d340b6a9e4f4e7de99c2d9eba078f05772e12514122
Opcode Fuzzy Hash: 0deef4b9a3e99c28eed4d9b581d08744139dcfcd4d9caf66ef1311bc4bbc25cb
Instruction Fuzzy Hash: 3741CD34B09A4E4FDB55FBB884B5AFD7BA1EF98300F5005B9D409C72DACE69A9408741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA22CF1 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ce3844122b6d063469bfe896c9a47433f17dcc84da7675421baf69276aee40
Instruction ID: a0de6d602b6091a4e7625048a30bf441ed130615fd777c0bc70f94385bb638d9
Opcode Fuzzy Hash: a7ce3844122b6d063469bfe896c9a47433f17dcc84da7675421baf69276aee40
Instruction Fuzzy Hash: C93103B0A4E78E4FE769DB7C84B52B83BE1EF99200F4100BFD449C31E6DEA859468301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2B14D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f344dfcc8e3e34ed6d7b176340db873efecd1fb52f24db3e7b68ba724cca39
Instruction ID: 0ff781240a94b7df0a333101c7a2dffe3b7e91479033d21e9b85f58c5251a5f8
Opcode Fuzzy Hash: 80f344dfcc8e3e34ed6d7b176340db873efecd1fb52f24db3e7b68ba724cca39
Instruction Fuzzy Hash: 3731D531B0C61D4FE764EB7898657F977E1FF99310F5101BAD409C3296DE28E8028781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA22AFB Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feeaf09558e8bdb28d8877412248a5e9a2b410264b32ec60f3d8077c0c05731
Instruction ID: 0c3dba156f61805c0524ab2bcd4befa782b3d797df071aaeee43d2d5b5f1e129
Opcode Fuzzy Hash: 0feeaf09558e8bdb28d8877412248a5e9a2b410264b32ec60f3d8077c0c05731
Instruction Fuzzy Hash: 75317B3B74E68D1FD722AFA8AC561E47BA0FF52325B0401BFD418CB0A3C916960AC7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20C49 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af100bd6d2d8a13c2365d1500e796b332c2e876272a3d7cdfc6b4871641e314d
Instruction ID: c71ce4e2900d2bd935fd81ab84d499ea8226fb390b377f054a6486e964ad18fd
Opcode Fuzzy Hash: af100bd6d2d8a13c2365d1500e796b332c2e876272a3d7cdfc6b4871641e314d
Instruction Fuzzy Hash: 9D218121B1C9494FEB88FB2C986A778B6C2EF99705F1505BEA04EC32DBDD689C418341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2A395 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6838d9df3fdb069be80f129c22430e0d4ec71277f5696ab4dbc3ed959d8979
Instruction ID: 3bfaf9eaa40771d8da9451852a0217070a000e32dd9c6e25aa60e570619504c5
Opcode Fuzzy Hash: db6838d9df3fdb069be80f129c22430e0d4ec71277f5696ab4dbc3ed959d8979
Instruction Fuzzy Hash: DD31843150D7888FD756DBA8C899AEABFF0EF57310F0481AFD089C7562D768A809CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20E89 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410b6cab932a636b10b3e5bb7928837774f38d72aaab65e36ea36ae5b4f03dd4
Instruction ID: ecbe321e44d923ca443741abf2265d348e809133c6e9bd202d318297e4e12160
Opcode Fuzzy Hash: 410b6cab932a636b10b3e5bb7928837774f38d72aaab65e36ea36ae5b4f03dd4
Instruction Fuzzy Hash: 84210811B19A4A4FE7987BBC487AB7836D1EF58700F0502BAE41DC32D7DD58AD458342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2A2B9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b273830a75fe36b65e94b4c5656bdc299b5d207483ce257498270072b674fc
Instruction ID: 57d46774dc448d855433878ea3a0c395707e9504d2e13dee5cd727806e293074
Opcode Fuzzy Hash: a2b273830a75fe36b65e94b4c5656bdc299b5d207483ce257498270072b674fc
Instruction Fuzzy Hash: 69212720B8E6CE0FE755DBB888256F57BE1EF8A300F1541BBE089C71A2CD5C9942C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2A1A1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d965ff2809a9574ee728c01006dbfc64799cddbf9d7145e1e17e5596516fd51d
Instruction ID: c0cd30d840d866d93087a21f9379de2a24beb1679af95bfef14a0f7ac84fc087
Opcode Fuzzy Hash: d965ff2809a9574ee728c01006dbfc64799cddbf9d7145e1e17e5596516fd51d
Instruction Fuzzy Hash: 5321F310B1C95A4FEB45B7BC9875BB877D2EF54700F4101BAE01AC31C7CD696E048392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA215C1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a064c7b0f13baf5c1d48f297f9921159673bd2ecda6967068bb525c831232e
Instruction ID: 9722ffee8b0c5373a796294e60b73ea50c501b062ee1a2e9a8aa55cedcf55ba8
Opcode Fuzzy Hash: 68a064c7b0f13baf5c1d48f297f9921159673bd2ecda6967068bb525c831232e
Instruction Fuzzy Hash: D9110A31E0DA8D8FEB94EBA8C8696ED7BA1FF54300F01017AE41CC32D2DE7859448782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA286C8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240b590286c6ca27f8a454f29f4ee5a3835894ecb476ebab32d3a8026b1d329d
Instruction ID: 2ab939481180ab291e1f13148cb8e309311cbdbbbcdf62da5086513a18bdd82d
Opcode Fuzzy Hash: 240b590286c6ca27f8a454f29f4ee5a3835894ecb476ebab32d3a8026b1d329d
Instruction Fuzzy Hash: DC112532F0DA5C8FDB91EB6C98562FCBBE0EF98271B0401BBD409C7256CA25694387C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA286F4 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed306e1684e79e2c23b5630a867fab6110d060ad35dc59500eaf2cf28d38141d
Instruction ID: 40b2c24c673baabb3e7fb936eab61e74017cee6a23d9a7361c12a3c0a39dfd12
Opcode Fuzzy Hash: ed306e1684e79e2c23b5630a867fab6110d060ad35dc59500eaf2cf28d38141d
Instruction Fuzzy Hash: BA114872F0DA4D4FEB61E76C98266AC77E0EF54260B0402BAE449C31D2DE14694243C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20BDE Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473ca85816ff84034af9cfd7daae2094f1995bc3f365abf4824198b67b95bc46
Instruction ID: a93bc0a895ad3f4f1cb7426142d7599884fd60118b7c79e05e03b4ca2e1e6749
Opcode Fuzzy Hash: 473ca85816ff84034af9cfd7daae2094f1995bc3f365abf4824198b67b95bc46
Instruction Fuzzy Hash: FF01448254F7C51FD3A7537948695623FA9CD9746070E01EBE589CA5A3D44D180AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA21553 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6b9106a5493f972374d10338aac0a70755c9a24c9cce575e8a3ec1a45044b4
Instruction ID: 5dbdbc26145fd90f790d39133ad7cddbfc88f4220b4a455c07cd1218f9aebe6d
Opcode Fuzzy Hash: 6f6b9106a5493f972374d10338aac0a70755c9a24c9cce575e8a3ec1a45044b4
Instruction Fuzzy Hash: E0012641A0EB860FEB51A73888B54653FE1EF6564074904EFE489CB0E7C818A9408342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA2B095 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20451ff3ab990588e2ff47a009339ec53e8d569f9b23d628053f3812c9370799
Instruction ID: 0c926e70b1f659e3d3af0c69d193a1df15d8f6a81b65adfd936543ced2f076c1
Opcode Fuzzy Hash: 20451ff3ab990588e2ff47a009339ec53e8d569f9b23d628053f3812c9370799
Instruction Fuzzy Hash: 05F0F63595D6CD1FDB12BB6488510E97F60FF05200F4406E7E4ADC70D7DA2992698382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20540 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d993a2d4acc941a1abfbf9b5b591b06e0093d304c4ce96f7096da31c4c10ae3e
Instruction ID: cf343ed936b3f6d74862bf14c5eba257c17d65466b7c1f9ba987d1cc50ca7159
Opcode Fuzzy Hash: d993a2d4acc941a1abfbf9b5b591b06e0093d304c4ce96f7096da31c4c10ae3e
Instruction Fuzzy Hash: 3DE026C3A1A84D1EE2B8626D08AD8724B8DDBE19A075A00BBF55EC2392EC862C0241D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20F70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e07c459647abcab7fa43ed27063f063b3242d4f145e8db60a8820652c2656e
Instruction ID: c6bf8302424c4c08d2a54cdbd70017f2a6e312a3636268e9ce940e4a0dbf4e9f
Opcode Fuzzy Hash: 88e07c459647abcab7fa43ed27063f063b3242d4f145e8db60a8820652c2656e
Instruction Fuzzy Hash: DAE04F21F1491E4EEF44BFAC98656FCF2E1EB88611F1000B6D51DD329ADE2858018391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA288AF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8459f925f8a9cac33df659e12fc10b3b189f2322f86e77f231c65431eb951313
Instruction ID: 57dc38cebaa44aea44e45aec7b757a617d412f51b885694e8643375c3b43a96c
Opcode Fuzzy Hash: 8459f925f8a9cac33df659e12fc10b3b189f2322f86e77f231c65431eb951313
Instruction Fuzzy Hash: CFE09B21F1451D4ADF44FF6498659FE76E1EF54304F500076D029D31CFDE7469404782

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BA2045D Relevance: 5.4, Strings: 4, Instructions: 406COMMON

Download Yara Rule

Strings

L_^_, xrefs: 00007FFD9BA206C2
L_^a, xrefs: 00007FFD9BA206C9
3{>, xrefs: 00007FFD9BA2063E
?L_^, xrefs: 00007FFD9BA20501

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: 3{>$?L_^$L_^_$L_^a
API String ID: 0-1085545436
Opcode ID: 893f64f79973825eef61b14c951d75d2765dcd52d9de33b073dd0016ff374366
Instruction ID: 39e0483fb220ad5e56cf901a12f1d5aa60f6c4b427ee4db595867243b30a240f
Opcode Fuzzy Hash: 893f64f79973825eef61b14c951d75d2765dcd52d9de33b073dd0016ff374366
Instruction Fuzzy Hash: B4B15C23F0D5570BE32677BCB8A28ED3790EF8137570A41B7C19A8A0D3D91A684A87D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA20490 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

L_^_, xrefs: 00007FFD9BA206C2
L_^a, xrefs: 00007FFD9BA206C9
3{>, xrefs: 00007FFD9BA2063E
?L_^, xrefs: 00007FFD9BA20501

Memory Dump Source

Source File: 00000000.00000002.4093149054.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba20000_ent.jbxd

Similarity

API ID:
String ID: 3{>$?L_^$L_^_$L_^a
API String ID: 0-1085545436
Opcode ID: 5fde1746226eb4ae4913630b789f0b4a7f086ff7f50b598a23e1e88f2ae3d0f9
Instruction ID: 00b2d13caa6881b571cd5c62845f95272f0ff67bff12fac9dd7fae6b3641e922
Opcode Fuzzy Hash: 5fde1746226eb4ae4913630b789f0b4a7f086ff7f50b598a23e1e88f2ae3d0f9
Instruction Fuzzy Hash: D7B16D63F0D9570BE32277ACF8A28ED3790EF8137570A41B7C19A8A0D3DD16644A86D5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ent.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
ent.exe