Edit tour

Windows Analysis Report
eternal.exe

Overview

General Information

Sample name:	eternal.exe
Analysis ID:	1557108
MD5:	7439cc991a9a756c41153b8e9121baab
SHA1:	c62528386e5f62ff2975cc8ed0cad3a7d362e632
SHA256:	31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
Tags:	exeuser-aachum
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

eternal.exe (PID: 1704 cmdline: "C:\Users\user\Desktop\eternal.exe" MD5: 7439CC991A9A756C41153B8E9121BAAB)

schtasks.exe (PID: 2136 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XClient.exe (PID: 5552 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 7439CC991A9A756C41153B8E9121BAAB)

XClient.exe (PID: 3376 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 7439CC991A9A756C41153B8E9121BAAB)

XClient.exe (PID: 2052 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 7439CC991A9A756C41153B8E9121BAAB)

XClient.exe (PID: 4436 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 7439CC991A9A756C41153B8E9121BAAB)

XClient.exe (PID: 5852 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 7439CC991A9A756C41153B8E9121BAAB)

XClient.exe (PID: 5984 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 7439CC991A9A756C41153B8E9121BAAB)

XClient.exe (PID: 3668 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 7439CC991A9A756C41153B8E9121BAAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.23"], "Port": 33942, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eternal.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
eternal.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xfc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfe00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xebac:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xfc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfe00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xebac:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xfa4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfaeb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe9ac:$cnc4: POST / HTTP/1.1
Process Memory Space: eternal.exe PID: 1704	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.eternal.exe.d30000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.eternal.exe.d30000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xfc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfe00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xebac:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\eternal.exe, ProcessId: 1704, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\eternal.exe, ProcessId: 1704, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\eternal.exe", ParentImage: C:\Users\user\Desktop\eternal.exe, ParentProcessId: 1704, ParentProcessName: eternal.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", ProcessId: 2136, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T11:25:11.545747+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.9	53557	147.185.221.23	33942	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: eternal.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: eternal.exe

Malware Configuration Extractor: Xworm {"C2 url": ["147.185.221.23"], "Port": 33942, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for domain / URL

Source: 147.185.221.23

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\XClient.exe	Virustotal: Detection: 67%			Perma Link

Multi AV Scanner detection for submitted file

Source: eternal.exe	ReversingLabs: Detection: 73%
Source: eternal.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: eternal.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: eternal.exe	String decryptor: 147.185.221.23
Source: eternal.exe	String decryptor: 33942
Source: eternal.exe	String decryptor: <123456789>
Source: eternal.exe	String decryptor: <Xwormmm>
Source: eternal.exe	String decryptor: Group1
Source: eternal.exe	String decryptor: USB.exe
Source: eternal.exe	String decryptor: %AppData%
Source: eternal.exe	String decryptor: XClient.exe

Source: eternal.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eternal.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:53547 -> 147.185.221.23:33942
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:53557 -> 147.185.221.23:33942

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.185.221.23

Source: global traffic

TCP traffic: 192.168.2.9:49777 -> 147.185.221.23:33942

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: eternal.exe, 00000000.00000002.3795426043.0000000003161000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\eternal.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: eternal.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.eternal.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\eternal.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF186D	0_2_00007FF887CF186D
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CFA3D2	0_2_00007FF887CFA3D2
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF9626	0_2_00007FF887CF9626
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF2059	0_2_00007FF887CF2059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF887CF0C3E	4_2_00007FF887CF0C3E
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF887CF186D	4_2_00007FF887CF186D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF887CF2059	4_2_00007FF887CF2059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 6_2_00007FF887CE186D	6_2_00007FF887CE186D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 6_2_00007FF887CE0E68	6_2_00007FF887CE0E68
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 6_2_00007FF887CE2059	6_2_00007FF887CE2059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 7_2_00007FF887CF0C3E	7_2_00007FF887CF0C3E
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 7_2_00007FF887CF186D	7_2_00007FF887CF186D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 7_2_00007FF887CF2059	7_2_00007FF887CF2059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FF887D10C3E	10_2_00007FF887D10C3E
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FF887D12059	10_2_00007FF887D12059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 10_2_00007FF887D1186D	10_2_00007FF887D1186D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 12_2_00007FF887CE186D	12_2_00007FF887CE186D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 12_2_00007FF887CE0E68	12_2_00007FF887CE0E68
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 12_2_00007FF887CE2059	12_2_00007FF887CE2059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 13_2_00007FF887D00C3E	13_2_00007FF887D00C3E
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 13_2_00007FF887D0186D	13_2_00007FF887D0186D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 13_2_00007FF887D02059	13_2_00007FF887D02059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 14_2_00007FF887D10C3E	14_2_00007FF887D10C3E
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 14_2_00007FF887D12059	14_2_00007FF887D12059
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 14_2_00007FF887D1186D	14_2_00007FF887D1186D

Source: eternal.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eternal.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.eternal.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: eternal.exe, z7GL3GcSz0bU9xxBylPHvbaUX8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: eternal.exe, z7GL3GcSz0bU9xxBylPHvbaUX8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: eternal.exe, pwLyC8IGS9fWPw8AOOpq13VTDw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, z7GL3GcSz0bU9xxBylPHvbaUX8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, z7GL3GcSz0bU9xxBylPHvbaUX8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, pwLyC8IGS9fWPw8AOOpq13VTDw.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: eternal.exe, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.cs	Base64 encoded string: 'zwUuG1nByTCEbaZKHWOAlu2mCDp7JUhoMorAGSUIUqs7jGnGSWfcL7nHRupmiUNZgDRBDBUz7hlO'
Source: eternal.exe, OikC8q0jRtn3fHthyLWpHpUTg7BlI3UgPeim5M0jeam7kzrAn.cs	Base64 encoded string: 'nOPvjGtOiWrak5U6dMLaaYXnV5efRXgPksc1lS1MhJkqNd2g2hTJrZQwTI60OSsaRSVeV0APlUZT'
Source: eternal.exe, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.cs	Base64 encoded string: 'r9ZP2HoqHH770WDyWixlEX8ZRUYr87OFDSl4HtLk1VmHoDXC9z7gjvEpvEhFSKRin9IH', 'Yr6d8vHWsl1qg9CkWxf6ZUUnm0jR7Ke4Mfc2h4jChLnQgdVIMGjbfPrKphFxKxQHby6f', 'meCKLNBFqzdfahnjOzKN2HfHAYWoXX3kR875tED3tufBVEQEvOWeT72R871e8kvPOCp7', 't8tUYo6qF3AbbmaIzYNdk1tEW1YDNbUFN7MOTWhg89CaDB7M29qu4afdXBX3c9m8R74p', 'yOif5zu6batbtJMG78mjMggTXaUoZCMKTy1x4aM2XVeveuayD5ImGboaJ8MvCFi5Bzzl', 'hp5gyXDcXfr0IbLlGgN4BEoDIMeolWnxebvOOVVABA0hQ5FhBVeK5kTjAOFLkt2bpUb2'
Source: XClient.exe.0.dr, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.cs	Base64 encoded string: 'zwUuG1nByTCEbaZKHWOAlu2mCDp7JUhoMorAGSUIUqs7jGnGSWfcL7nHRupmiUNZgDRBDBUz7hlO'
Source: XClient.exe.0.dr, OikC8q0jRtn3fHthyLWpHpUTg7BlI3UgPeim5M0jeam7kzrAn.cs	Base64 encoded string: 'nOPvjGtOiWrak5U6dMLaaYXnV5efRXgPksc1lS1MhJkqNd2g2hTJrZQwTI60OSsaRSVeV0APlUZT'
Source: XClient.exe.0.dr, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.cs	Base64 encoded string: 'r9ZP2HoqHH770WDyWixlEX8ZRUYr87OFDSl4HtLk1VmHoDXC9z7gjvEpvEhFSKRin9IH', 'Yr6d8vHWsl1qg9CkWxf6ZUUnm0jR7Ke4Mfc2h4jChLnQgdVIMGjbfPrKphFxKxQHby6f', 'meCKLNBFqzdfahnjOzKN2HfHAYWoXX3kR875tED3tufBVEQEvOWeT72R871e8kvPOCp7', 't8tUYo6qF3AbbmaIzYNdk1tEW1YDNbUFN7MOTWhg89CaDB7M29qu4afdXBX3c9m8R74p', 'yOif5zu6batbtJMG78mjMggTXaUoZCMKTy1x4aM2XVeveuayD5ImGboaJ8MvCFi5Bzzl', 'hp5gyXDcXfr0IbLlGgN4BEoDIMeolWnxebvOOVVABA0hQ5FhBVeK5kTjAOFLkt2bpUb2'

Source: XClient.exe.0.dr, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: eternal.exe, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: eternal.exe, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/4@1/1

Source: C:\Users\user\Desktop\eternal.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\eternal.exe	Mutant created: \Sessions\1\BaseNamedObjects\Z7DjfJsbzoeA8FRF

Source: C:\Users\user\Desktop\eternal.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: eternal.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: eternal.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\eternal.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eternal.exe	ReversingLabs: Detection: 73%
Source: eternal.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\eternal.exe

File read: C:\Users\user\Desktop\eternal.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eternal.exe "C:\Users\user\Desktop\eternal.exe"
Source: C:\Users\user\Desktop\eternal.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
Source: C:\Users\user\Desktop\eternal.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: XClient.lnk.0.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: eternal.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eternal.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: eternal.exe, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.U2xZS9Ii0bNLwN14STRo7hwBRPZhfM0aicc7EKEBlrFHxeDFy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.klGcTAcrhqPTSR6ORizJ2c7HcRMpsdc3i6nBTyBWta4vxEDVy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.e1a4iS5m2cwY7Wz4tf9JJh8YkbpTv1LUNuS5AGzigkLRqkULl,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.zddVe2zadHhHeDck7teLRxIVYabLIJuFmKSkvkzjoYfQwS95L,z7GL3GcSz0bU9xxBylPHvbaUX8.BvRcOGTXZLhNVW8VvUiYmleWf3IvqmgfkWjeLSwSzGNWB3uGR2J9VQkAvHh()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: eternal.exe, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[2],z7GL3GcSz0bU9xxBylPHvbaUX8.aUh9qYlzTyllGrbrPVeJLz9A4o4sfJf9qsZ9CQe2zFJG296vAZakwP5nCJA(Convert.FromBase64String(LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.U2xZS9Ii0bNLwN14STRo7hwBRPZhfM0aicc7EKEBlrFHxeDFy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.klGcTAcrhqPTSR6ORizJ2c7HcRMpsdc3i6nBTyBWta4vxEDVy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.e1a4iS5m2cwY7Wz4tf9JJh8YkbpTv1LUNuS5AGzigkLRqkULl,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.zddVe2zadHhHeDck7teLRxIVYabLIJuFmKSkvkzjoYfQwS95L,z7GL3GcSz0bU9xxBylPHvbaUX8.BvRcOGTXZLhNVW8VvUiYmleWf3IvqmgfkWjeLSwSzGNWB3uGR2J9VQkAvHh()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[2],z7GL3GcSz0bU9xxBylPHvbaUX8.aUh9qYlzTyllGrbrPVeJLz9A4o4sfJf9qsZ9CQe2zFJG296vAZakwP5nCJA(Convert.FromBase64String(LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: eternal.exe, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3 System.AppDomain.Load(byte[])
Source: eternal.exe, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp System.AppDomain.Load(byte[])
Source: eternal.exe, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp
Source: XClient.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3 System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp

Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF5699 push ebx; retf	0_2_00007FF887CF59DA
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF24AD push E95DD73Bh; retf	0_2_00007FF887CF2589
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF243D push E95DD73Bh; retf	0_2_00007FF887CF2589
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF2EA8 push eax; iretd	0_2_00007FF887CF2EC1
Source: C:\Users\user\Desktop\eternal.exe	Code function: 0_2_00007FF887CF2D3A push eax; iretd	0_2_00007FF887CF2EC1

Source: eternal.exe, PNTkHhRdRADo9Htu8dbFVLGTwqCu2qbzjYH5zYlur5KxgSz1jQZuw8evWYvsSGwZnSHAYTXqL6hUBfvaIp2CoAMx26V.cs	High entropy of concatenated method names: '_0c5osAYdBH9XJ94w4zO6l972AlhrdGad0hqnAFgCFDwSXcziYUz2q1XXqL3Zde5p35YLYKckiT7zmCnBswlBhvyUlKO', 'zTL2B64wg2rWQWqASrnYspHnl0Z1Aumla4SUxs4D64pQI2WON1JnzP1oGkeyMwLMnb0f8QieLG4h', 'rkr0zO6T26LPtwV3U9c2u5xYBuctzMPqkJXb8TIBxlUKlPIg8rAaiHfjLP71Hzw255mMcNkH7LQq', 'Btv4maALwmARX', 'HJNgJkbLwyzIr', 'EHT5RPoBsAnvY', 'U5FhaAIW2Nj2K', '_7zTNkjNQ0QD3c', 'hQgK5oM9YmxrQ', 'LnSuQAe3DhXZ2'
Source: eternal.exe, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ea65l0P6VLiuAGdcSTuvjZVcwJgbGY1253l4vMwdSVADH492dX4PnHlSS35V2YM5c6dN3ZqKdkec', 'kOmiM1AbuLNjuLBf89wLzzjhN1Q3cqGGQEB6xJwPBYbBFOr4CSGH78YstQzx2itJcGbuOsGxLZKK', 'xGK7vCJFSYRW1gcvS6EUjMnJRR8OBcSkO5EdL9avx0j551WfeEgaTLxv1eSH4wQTZWjFIcRo4bUj', 'ERiYjJBn6pFxsGNYLGgy8QzMDp73EOBHgudvczYH3MSATieVEHc6hvYTbAy3glIC6sE2LzEEvOMf'
Source: eternal.exe, ZTVYtJFrmsQJQ9ljOwNBcyaFo9DitMyOY4oipU4ny.cs	High entropy of concatenated method names: 'NoCle4xZmufxswDeh5fhpTUgoSAb5eavmQrRgKskO', 'zZWCPg3bEKG534TZwNRhlqsIneV7P6FWDiwU', '_2yRRy4y5sBKarxi31GYBsSZgy2BbH10JSslb', 'f9J0BO2UoDn7uyJSkFmSMqD2U0CLAbQJIjKF', 'jF9RGodWK3s5qoVwiawclr9bGbBnIk6BZnQH'
Source: eternal.exe, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.cs	High entropy of concatenated method names: 'k06g0iCbZCrfysspSRMUJhlvYv79m1SSzswTsLBuX8Uz3rCOToqYxOxgf2zC01crRWspIvgXQ8oEiE7TM', '_7zpgzbS6PiDyDJENNtstPc6AcDWETdl9qa8VBBfjip0JV0wNKaiUYqCSDNhWBNrFA2q5hZsTYIrwXV9eo', 'efanD038HcFIAEn81JcePjTZcmuYEb18URcxTmSvOhAn2vjbQL2CvMLKx5U8ELzWTMGmNEUgxjPFbQEUH', 'S6TBniyDwO1QE4SgIJD32eq9ggNzFjSC7eVHzx0pqJHhS5zDr1NKfdFiZ950zBN5SCgKu9PCd5pNKgRd4', '_5NB66cSsdfZl1wYpuBTFxnfbtIFkKthngYBP7aJYPI8h0KaVs8ob5oRSiwXQ0WpBTp3oQYyd9hCBeebIi', '_8auKXwrMjrWK6GETcQFbdg3Vp79uUUIPDb9Sy4WFo66QIUaj0mFhsh0uP1EDWfjJPZhOohG04ClP6EwKU', 'eZLULBsWHjkkBfq6UUkYqvjdfep7gP0Jsax6nfq8yPBu0kvptOtgeoAB89ekjARl0orRbLzx8vIrJJNzz', 'Uqe2k6rcLSu5PX1j4tOqUiz3AsHedfpnumnQKYbU0ZFOajGepCrXgVlcsAJjGLiJ3YS24bwh0hfa1TXHx', 'fPrS3IoE8AU3qNIg9y0bwAv5b2OwoCgc90vr3Dv9sCQsynP59RPumSLyr7wt2Q86BBiUuUlWpbuS75vgr', '_1bidLvfGyo8kT6sraMlH8OWiBDlbh3JTvPbdsjQ5ks4b8uEikoXH93LqXuA3XXmZXSrsBs1I2EenFSSKB'
Source: eternal.exe, 07Cdq7Slaf2T0jZczBuwyUXHac.cs	High entropy of concatenated method names: 'aNTMw6Lu16q3XeWHR1sR3PMWSc', '_85n0wGBYXzEAGGt4l8PGE0RDXu', 'CTQ4WASzc8s72DCU4qjXS0CXRl', 'Pc3Yhm8jNS8GFjGCj9zEGX6vS0', '_4SJw3T4IWGV1RB84xPDOcTwCH0BWzCDx7Cv9O75zcJBpdLzVGT2sJz', 'V7c4x1ZactwY6IDS1gx8EozmV7NQKodI3NEVUIzH9cdwub65IquqG5', 'tSoF4ErRLVczkRNY4oAHQYpg18er1hxx2JuiJvKNPus0RjONzUM9Ty', 'cReP19Usgw2ijL8SFqsFgwdEKNtvIYJq2VudLBTLJe7lL7ul2XGIKU', 'KrU1gipWTZPHUOXxkvD6LuPOmDsvj4AojcsA06vZMleEQghmaWD9sW15aZKDoJY72JOLWqRzXCo68c64eXudEf', 'w2J7OZ6KgMoKAlYfNB0Zamm0AZZpzVfIOcLbbErEWdfgG9fasIJXDTSSjeekkiQQ54pP4m3ld4E0FbrPz2HFkh'
Source: eternal.exe, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.cs	High entropy of concatenated method names: 'eZmacRaUJwyo2V4YVB3fpVPcLirYMs9NgnkwDjFGp', 'd85CNq0UL5V9VHkpmg49vGPNv2eivxNFlfn6SA8Wa', 'aaPTnTrt8Ym4okXALJ8ARVYV41jgbEBIV1xhS5jpX', 'TipMraploFbtSJXkrL2wl7mQA2', '_8kYnfx2Lev1BuxUf3rf6rrRChf', 'YZm91ip80fd4eMng8qFrdBzNCg', 'IVWmqzIBjqA6oT2vjG5RkSmRor', 'Pr3QotefBmeLPnEJGZAv75JZ0Z', 'UxwYolw5crzg8rmsMOEamrwCXu', 'Sy558Qu3s6mdrFllG7ujEwVbsF'
Source: eternal.exe, z7GL3GcSz0bU9xxBylPHvbaUX8.cs	High entropy of concatenated method names: 'rczOseSIc2vnwuEKIR8PkcLmQa', '_04nQsc5SubxMuXJO3AjPmX0xdl', 'hFjVWq8dAgGwLNBrQoIeKlZxVQ', 'HcqlO99QRe4SHd8BzMhTs7NGM5', 'l7FpTzsY57NomzQ8RfXN2HkWPh', 'PPwLymJlD5IyaA6OX8oJLKE2eo', 'j0lPXeA3krUBU4eIKwHZCHQo8t', 'JF3URgxYwq9OQvJS00u8hCO5H8vqmWwDRbmYItsSowCm6gCXAbEsZZZmIQL', 'nwctXyVSHKGY5OLwe9fqeakonwIxFSDgOXORZzO0z6k9imOZ8ltZE3IN43d', 'yRMsRhBMjHLebAC07aypKk8Xvd0Fr7wd5MRrNJbh59gRGeUCPCNh0DRN0FX'
Source: eternal.exe, pwLyC8IGS9fWPw8AOOpq13VTDw.cs	High entropy of concatenated method names: 'q75ROLrqqHV6EmJDp91TOI4VmT', 'ZtBBrD6v9t5iKcxfvJFaw3H4IuoDdY5nuT9puJXpLcjL76IDfgCpHRRBmpJVtKBkLCrPDQOodEZjpRwSz7URN3', 'vfjRU45nEBY3auUaODMgdMoHtc4K9VQz4xOTtGT5Rs8N0nXwNGPIEGNdyM7MGhG3uPvvrFFxSVofALVPdeAZNJ', 'icSHmmvwaVgso4j8Hv3S4II3minVb10MWs5SQ63NpOLDYpHqrGopkznqOvYHFNLP1M4QnYgENy3C06mTgfD2bh', 'dpGjJ3p87EOacCY2vM0V24nVRlbrIREh0oXDjE2lWXatKNNzmuZcRV5SWjWaJ4VPQdH04vzaLiesjPJ7syopT7'
Source: eternal.exe, YQhejhVgT0ttgMOLyMJxgFpqD9cch4ZRZCw8NY2M6T1GDPhoPLEM2UjD1FgvZhc5VommPhvhtQvJWFL27.cs	High entropy of concatenated method names: 'v2ZikujqPLr1n6uIoVRgCl1pTavRWrBtjGZIRMgHAOgEZQHb0xl2UCVnjLOjvu4tr2gJgE8b2IxKZqqDE', 'Te60wYfmJ74mvSBCHY9Q1NYDhkeXswsJzyOxyUzGodjeG1TZQE5uz4gUMoPwHqZv0IL8rkrclqK6sLhXa', 'lOttlYb7JhxgqWLTIpZwgApjN4IiY5lALQP1k3zDtevLeLQ0arZpIFqdSuNqZ8CtJBvaQamVZPkdJjEK1', 'HklCUKPtoD7xqi5SydpzGBxTnIL1tsIxMdr9pI26Q8FfUeLJE80eMifz2MCiXpMquyZr2BP9gg7FY6Swm', 'mBYQhshBfowyxxw0DF', 'v0fl2bSQlrkwGParpN', '_0oISgafl1pHFtQOk9c', 'VFkzUzAnj429d1yALh', 'cKM0CQlApexIk8yDHx', 'wHzUyYnhv4EPtZktOH'
Source: eternal.exe, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	High entropy of concatenated method names: 'rWgDNtD9XClx2ePX1ClUNtaUKXAVpqLIPamcaShgPjX2GXhFnNddcug1dnCUVYeOGwlDB6awhp2LkVuNJqgnwhfzwZjoQTdYyJG', 'o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3', '_15xvhav5CsVbhcaBatgprc9bhSzTJ2Uj711MIImyF1pfHIQjLdp07HnJ6Q9SOa16zKy7DsQpO2JWsPV7aDbHYdZ9PtIwNdYGFOd', 'ilP62xKpQqTx9U2gHfS6thNHObDbYplWekVrvTfo6xzmjbv8zdAIZrapg5YqVmvuy9ANsaQ0gu716iUEjF66cZiDs1qBN0Z8sFX', '_1L4pbsWDZhKfHZBBMpDwYw8KMuVu0BHVfRoCyfa35ApP31Z07D2DM4tFjH8jSVYQ9cOiCebiaAyTg20NpIeGtPKSRB8UwLiaqJT', '_0iQVfid5km9BaIMjdJ7jvr4wgk63gqvsqAq9Cv3kDD3NTRPAeUNHUqCLeRLZcYxPwS5AFnpc0guTCN7dVAqvD7i8KE5MAiBWpEC', 'F8JSf8qjcOEGjxHWRDmywmiPNV7vP3RrfeN2DwhBNngzTla9b4eZlM2atVYZ5NqxOn9LEJk8fYy3AAZa8cNBZf5CRMGD8l0dYIO', 'WWdZkn7NhLGtutIFzAPRtfYm50evObQXhtDpar21v', 'twLqMQQuRzHiNTomU0HgBk9BDJiIXnidwc25S9R7S', 'jYqvBynZ9drCFVMYmQPpIj8VpTcr4G6PjM7ybOXXz'
Source: XClient.exe.0.dr, PNTkHhRdRADo9Htu8dbFVLGTwqCu2qbzjYH5zYlur5KxgSz1jQZuw8evWYvsSGwZnSHAYTXqL6hUBfvaIp2CoAMx26V.cs	High entropy of concatenated method names: '_0c5osAYdBH9XJ94w4zO6l972AlhrdGad0hqnAFgCFDwSXcziYUz2q1XXqL3Zde5p35YLYKckiT7zmCnBswlBhvyUlKO', 'zTL2B64wg2rWQWqASrnYspHnl0Z1Aumla4SUxs4D64pQI2WON1JnzP1oGkeyMwLMnb0f8QieLG4h', 'rkr0zO6T26LPtwV3U9c2u5xYBuctzMPqkJXb8TIBxlUKlPIg8rAaiHfjLP71Hzw255mMcNkH7LQq', 'Btv4maALwmARX', 'HJNgJkbLwyzIr', 'EHT5RPoBsAnvY', 'U5FhaAIW2Nj2K', '_7zTNkjNQ0QD3c', 'hQgK5oM9YmxrQ', 'LnSuQAe3DhXZ2'
Source: XClient.exe.0.dr, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ea65l0P6VLiuAGdcSTuvjZVcwJgbGY1253l4vMwdSVADH492dX4PnHlSS35V2YM5c6dN3ZqKdkec', 'kOmiM1AbuLNjuLBf89wLzzjhN1Q3cqGGQEB6xJwPBYbBFOr4CSGH78YstQzx2itJcGbuOsGxLZKK', 'xGK7vCJFSYRW1gcvS6EUjMnJRR8OBcSkO5EdL9avx0j551WfeEgaTLxv1eSH4wQTZWjFIcRo4bUj', 'ERiYjJBn6pFxsGNYLGgy8QzMDp73EOBHgudvczYH3MSATieVEHc6hvYTbAy3glIC6sE2LzEEvOMf'
Source: XClient.exe.0.dr, ZTVYtJFrmsQJQ9ljOwNBcyaFo9DitMyOY4oipU4ny.cs	High entropy of concatenated method names: 'NoCle4xZmufxswDeh5fhpTUgoSAb5eavmQrRgKskO', 'zZWCPg3bEKG534TZwNRhlqsIneV7P6FWDiwU', '_2yRRy4y5sBKarxi31GYBsSZgy2BbH10JSslb', 'f9J0BO2UoDn7uyJSkFmSMqD2U0CLAbQJIjKF', 'jF9RGodWK3s5qoVwiawclr9bGbBnIk6BZnQH'
Source: XClient.exe.0.dr, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.cs	High entropy of concatenated method names: 'k06g0iCbZCrfysspSRMUJhlvYv79m1SSzswTsLBuX8Uz3rCOToqYxOxgf2zC01crRWspIvgXQ8oEiE7TM', '_7zpgzbS6PiDyDJENNtstPc6AcDWETdl9qa8VBBfjip0JV0wNKaiUYqCSDNhWBNrFA2q5hZsTYIrwXV9eo', 'efanD038HcFIAEn81JcePjTZcmuYEb18URcxTmSvOhAn2vjbQL2CvMLKx5U8ELzWTMGmNEUgxjPFbQEUH', 'S6TBniyDwO1QE4SgIJD32eq9ggNzFjSC7eVHzx0pqJHhS5zDr1NKfdFiZ950zBN5SCgKu9PCd5pNKgRd4', '_5NB66cSsdfZl1wYpuBTFxnfbtIFkKthngYBP7aJYPI8h0KaVs8ob5oRSiwXQ0WpBTp3oQYyd9hCBeebIi', '_8auKXwrMjrWK6GETcQFbdg3Vp79uUUIPDb9Sy4WFo66QIUaj0mFhsh0uP1EDWfjJPZhOohG04ClP6EwKU', 'eZLULBsWHjkkBfq6UUkYqvjdfep7gP0Jsax6nfq8yPBu0kvptOtgeoAB89ekjARl0orRbLzx8vIrJJNzz', 'Uqe2k6rcLSu5PX1j4tOqUiz3AsHedfpnumnQKYbU0ZFOajGepCrXgVlcsAJjGLiJ3YS24bwh0hfa1TXHx', 'fPrS3IoE8AU3qNIg9y0bwAv5b2OwoCgc90vr3Dv9sCQsynP59RPumSLyr7wt2Q86BBiUuUlWpbuS75vgr', '_1bidLvfGyo8kT6sraMlH8OWiBDlbh3JTvPbdsjQ5ks4b8uEikoXH93LqXuA3XXmZXSrsBs1I2EenFSSKB'
Source: XClient.exe.0.dr, 07Cdq7Slaf2T0jZczBuwyUXHac.cs	High entropy of concatenated method names: 'aNTMw6Lu16q3XeWHR1sR3PMWSc', '_85n0wGBYXzEAGGt4l8PGE0RDXu', 'CTQ4WASzc8s72DCU4qjXS0CXRl', 'Pc3Yhm8jNS8GFjGCj9zEGX6vS0', '_4SJw3T4IWGV1RB84xPDOcTwCH0BWzCDx7Cv9O75zcJBpdLzVGT2sJz', 'V7c4x1ZactwY6IDS1gx8EozmV7NQKodI3NEVUIzH9cdwub65IquqG5', 'tSoF4ErRLVczkRNY4oAHQYpg18er1hxx2JuiJvKNPus0RjONzUM9Ty', 'cReP19Usgw2ijL8SFqsFgwdEKNtvIYJq2VudLBTLJe7lL7ul2XGIKU', 'KrU1gipWTZPHUOXxkvD6LuPOmDsvj4AojcsA06vZMleEQghmaWD9sW15aZKDoJY72JOLWqRzXCo68c64eXudEf', 'w2J7OZ6KgMoKAlYfNB0Zamm0AZZpzVfIOcLbbErEWdfgG9fasIJXDTSSjeekkiQQ54pP4m3ld4E0FbrPz2HFkh'
Source: XClient.exe.0.dr, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.cs	High entropy of concatenated method names: 'eZmacRaUJwyo2V4YVB3fpVPcLirYMs9NgnkwDjFGp', 'd85CNq0UL5V9VHkpmg49vGPNv2eivxNFlfn6SA8Wa', 'aaPTnTrt8Ym4okXALJ8ARVYV41jgbEBIV1xhS5jpX', 'TipMraploFbtSJXkrL2wl7mQA2', '_8kYnfx2Lev1BuxUf3rf6rrRChf', 'YZm91ip80fd4eMng8qFrdBzNCg', 'IVWmqzIBjqA6oT2vjG5RkSmRor', 'Pr3QotefBmeLPnEJGZAv75JZ0Z', 'UxwYolw5crzg8rmsMOEamrwCXu', 'Sy558Qu3s6mdrFllG7ujEwVbsF'
Source: XClient.exe.0.dr, z7GL3GcSz0bU9xxBylPHvbaUX8.cs	High entropy of concatenated method names: 'rczOseSIc2vnwuEKIR8PkcLmQa', '_04nQsc5SubxMuXJO3AjPmX0xdl', 'hFjVWq8dAgGwLNBrQoIeKlZxVQ', 'HcqlO99QRe4SHd8BzMhTs7NGM5', 'l7FpTzsY57NomzQ8RfXN2HkWPh', 'PPwLymJlD5IyaA6OX8oJLKE2eo', 'j0lPXeA3krUBU4eIKwHZCHQo8t', 'JF3URgxYwq9OQvJS00u8hCO5H8vqmWwDRbmYItsSowCm6gCXAbEsZZZmIQL', 'nwctXyVSHKGY5OLwe9fqeakonwIxFSDgOXORZzO0z6k9imOZ8ltZE3IN43d', 'yRMsRhBMjHLebAC07aypKk8Xvd0Fr7wd5MRrNJbh59gRGeUCPCNh0DRN0FX'
Source: XClient.exe.0.dr, pwLyC8IGS9fWPw8AOOpq13VTDw.cs	High entropy of concatenated method names: 'q75ROLrqqHV6EmJDp91TOI4VmT', 'ZtBBrD6v9t5iKcxfvJFaw3H4IuoDdY5nuT9puJXpLcjL76IDfgCpHRRBmpJVtKBkLCrPDQOodEZjpRwSz7URN3', 'vfjRU45nEBY3auUaODMgdMoHtc4K9VQz4xOTtGT5Rs8N0nXwNGPIEGNdyM7MGhG3uPvvrFFxSVofALVPdeAZNJ', 'icSHmmvwaVgso4j8Hv3S4II3minVb10MWs5SQ63NpOLDYpHqrGopkznqOvYHFNLP1M4QnYgENy3C06mTgfD2bh', 'dpGjJ3p87EOacCY2vM0V24nVRlbrIREh0oXDjE2lWXatKNNzmuZcRV5SWjWaJ4VPQdH04vzaLiesjPJ7syopT7'
Source: XClient.exe.0.dr, YQhejhVgT0ttgMOLyMJxgFpqD9cch4ZRZCw8NY2M6T1GDPhoPLEM2UjD1FgvZhc5VommPhvhtQvJWFL27.cs	High entropy of concatenated method names: 'v2ZikujqPLr1n6uIoVRgCl1pTavRWrBtjGZIRMgHAOgEZQHb0xl2UCVnjLOjvu4tr2gJgE8b2IxKZqqDE', 'Te60wYfmJ74mvSBCHY9Q1NYDhkeXswsJzyOxyUzGodjeG1TZQE5uz4gUMoPwHqZv0IL8rkrclqK6sLhXa', 'lOttlYb7JhxgqWLTIpZwgApjN4IiY5lALQP1k3zDtevLeLQ0arZpIFqdSuNqZ8CtJBvaQamVZPkdJjEK1', 'HklCUKPtoD7xqi5SydpzGBxTnIL1tsIxMdr9pI26Q8FfUeLJE80eMifz2MCiXpMquyZr2BP9gg7FY6Swm', 'mBYQhshBfowyxxw0DF', 'v0fl2bSQlrkwGParpN', '_0oISgafl1pHFtQOk9c', 'VFkzUzAnj429d1yALh', 'cKM0CQlApexIk8yDHx', 'wHzUyYnhv4EPtZktOH'
Source: XClient.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs	High entropy of concatenated method names: 'rWgDNtD9XClx2ePX1ClUNtaUKXAVpqLIPamcaShgPjX2GXhFnNddcug1dnCUVYeOGwlDB6awhp2LkVuNJqgnwhfzwZjoQTdYyJG', 'o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3', '_15xvhav5CsVbhcaBatgprc9bhSzTJ2Uj711MIImyF1pfHIQjLdp07HnJ6Q9SOa16zKy7DsQpO2JWsPV7aDbHYdZ9PtIwNdYGFOd', 'ilP62xKpQqTx9U2gHfS6thNHObDbYplWekVrvTfo6xzmjbv8zdAIZrapg5YqVmvuy9ANsaQ0gu716iUEjF66cZiDs1qBN0Z8sFX', '_1L4pbsWDZhKfHZBBMpDwYw8KMuVu0BHVfRoCyfa35ApP31Z07D2DM4tFjH8jSVYQ9cOiCebiaAyTg20NpIeGtPKSRB8UwLiaqJT', '_0iQVfid5km9BaIMjdJ7jvr4wgk63gqvsqAq9Cv3kDD3NTRPAeUNHUqCLeRLZcYxPwS5AFnpc0guTCN7dVAqvD7i8KE5MAiBWpEC', 'F8JSf8qjcOEGjxHWRDmywmiPNV7vP3RrfeN2DwhBNngzTla9b4eZlM2atVYZ5NqxOn9LEJk8fYy3AAZa8cNBZf5CRMGD8l0dYIO', 'WWdZkn7NhLGtutIFzAPRtfYm50evObQXhtDpar21v', 'twLqMQQuRzHiNTomU0HgBk9BDJiIXnidwc25S9R7S', 'jYqvBynZ9drCFVMYmQPpIj8VpTcr4G6PjM7ybOXXz'

Source: C:\Users\user\Desktop\eternal.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\eternal.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"

Source: C:\Users\user\Desktop\eternal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\eternal.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Memory allocated: 1B160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 23A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 7A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A370000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Window / User API: threadDelayed 3194			Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Window / User API: threadDelayed 6661			Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe TID: 5652	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 2192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 4044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 4660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 4192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: eternal.exe, 00000000.00000002.3797625290.000000001C100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: eternal.exe, 00000000.00000002.3794478743.0000000001198000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\eternal.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"

Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe	Queries volume information: C:\Users\user\Desktop\eternal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eternal.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eternal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: eternal.exe, 00000000.00000002.3797625290.000000001C197000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000000.00000002.3797625290.000000001C100000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000000.00000002.3794478743.000000000112C000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000000.00000002.3794478743.00000000011F4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\eternal.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: eternal.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eternal.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eternal.exe PID: 1704, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: eternal.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eternal.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eternal.exe PID: 1704, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eternal.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
eternal.exe	67%	Virustotal		Browse
eternal.exe	100%	Avira	TR/Spy.Gen
eternal.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Roaming\XClient.exe	67%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
171.39.242.20.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
147.185.221.23	0%	Avira URL Cloud	safe
147.185.221.23	18%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
171.39.242.20.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
147.185.221.23	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	eternal.exe, 00000000.00000002.3795426043.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557108
Start date and time:	2024-11-17 11:21:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eternal.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/4@1/1
EGA Information:	Successful, ratio: 12.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 74 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XClient.exe, PID 2052 because it is empty
Execution Graph export aborted for target XClient.exe, PID 3376 because it is empty
Execution Graph export aborted for target XClient.exe, PID 3668 because it is empty
Execution Graph export aborted for target XClient.exe, PID 4436 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5552 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5852 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5984 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:22:14	API Interceptor	14687681x Sleep call for process: eternal.exe modified
10:22:10	Task Scheduler	Run new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
10:22:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
10:22:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
10:22:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	svchost.exe	Get hash	malicious	Unknown	Browse
	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse
	exe030.exe	Get hash	malicious	XWorm	Browse
	pQm8Ci3Dov.exe	Get hash	malicious	XWorm	Browse
	jkL96SLfWS.exe	Get hash	malicious	XWorm	Browse
	xtrSvgqQEW.exe	Get hash	malicious	XWorm	Browse
	7PRbdkCn03.exe	Get hash	malicious	XWorm	Browse
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	6qwSgLbPO9.exe	Get hash	malicious	XWorm	Browse
	RLesaPFXew.exe	Get hash	malicious	SilverRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	LauncherPred8.3.37Stablesetup.msi	Get hash	malicious	Remcos	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	jM0HEXs5mI.exe__.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	svchost.exe	Get hash	malicious	Unknown	Browse	147.185.221.23
	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	exe030.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	pQm8Ci3Dov.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	jkL96SLfWS.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	xtrSvgqQEW.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	7PRbdkCn03.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	147.185.221.23
	6qwSgLbPO9.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	RLesaPFXew.exe	Get hash	malicious	SilverRat	Browse	147.185.221.23

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\eternal.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\eternal.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 17 09:22:07 2024, mtime=Sun Nov 17 09:22:07 2024, atime=Sun Nov 17 09:22:07 2024, length=71168, window=hide
Category:	dropped
Size (bytes):	763
Entropy (8bit):	5.065002293325832
Encrypted:	false
SSDEEP:	12:8xb24o29l4l0tChXyedY//YtKlMLKR8Zg8YjAx8qwNHkfAd4mV:8h54uQyZs1KRSZ8ApwCfAd4m
MD5:	658F6EA7BDB3F35432C50960E717A0BD
SHA1:	7E3C4314060B6D94BBEC5228371317956B90FC9D
SHA-256:	EF097BC62E934524156C9DE685B65DB7DF6D9CF68C7B676A25FF26B8F8D394B8
SHA-512:	B7B6967AEA9089A78D83B14BB1B5FC66DA98FF4AF087D68DA1D2D3FE5A3CDFBC79652128AFEE65051FA5408FAF3B27A5736B12DAD862D0B91150890136E99CC2
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....8..8...8..8...8..8..........................v.:..DG..Yr?.D..U..k0.&...&.......bBDj...<.Y..8.._$...8......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGqY.R..........................=...A.p.p.D.a.t.a...B.V.1.....qY.R..Roaming.@......EWsGqY.R..........................N...R.o.a.m.i.n.g.....b.2.....qY.R .XClient.exe.H......qY.RqY.R....A.......................#.X.C.l.i.e.n.t...e.x.e.......X...............-.......W...........{........C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......965543...........hT..CrF.f4... .a.E._c...,...E...hT..CrF.f4... .a.E._c...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\eternal.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	6.026372989128195
Encrypted:	false
SSDEEP:	1536:dEmkVu+xslqytUTZfJM6htYxrlYCbM1/kCxtD6LOSIcRGPUC:dEZZx8q/fJLtYFZbM1segO3cQ8C
MD5:	7439CC991A9A756C41153B8E9121BAAB
SHA1:	C62528386E5F62FF2975CC8ED0CAD3A7D362E632
SHA-256:	31A2B821E933BB193D94438D4A5AA036519535336C936D65B66889FB03164E2D
SHA-512:	CBDFD77671884407F8F4BD9C5251DF5D8896B29BD004EA52460EDA8A222DF7492C69572E044376315624220F3EA66DE3AFF34323EA281591CA2975F90FA6DD51
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 67%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g.............................+... ...@....@.. ....................................@.................................P+..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......0^.. .......&.....................................................(.....r...p. .x!...(.....r...p. .....s.........s.........s.........s..........r7..p. .O...r...p.rm..p. .....r...p. .&...r...p. ......((....r...p. .A...r...p. E/.."(....+.&(....&+..+5sT... .... .'..oU...(,...~....-.(D...(6...~....oV...&.-..r...p. p{..r...p. ^....r...p. .....r...p.r1..p. t.................j..................sW.............."(F...+.:.t....(A...+..r]..p

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.026372989128195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	eternal.exe
File size:	71'168 bytes
MD5:	7439cc991a9a756c41153b8e9121baab
SHA1:	c62528386e5f62ff2975cc8ed0cad3a7d362e632
SHA256:	31a2b821e933bb193d94438d4a5aa036519535336c936d65b66889fb03164e2d
SHA512:	cbdfd77671884407f8f4bd9c5251df5d8896b29bd004ea52460eda8a222df7492c69572e044376315624220f3ea66de3aff34323ea281591ca2975f90fa6dd51
SSDEEP:	1536:dEmkVu+xslqytUTZfJM6htYxrlYCbM1/kCxtD6LOSIcRGPUC:dEZZx8q/fJLtYFZbM1segO3cQ8C
TLSH:	20638D4C7BE74520E2FF9FB148F63252D679F3135903A69F28DA01872723A84CD856E9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................+... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x412b9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B84E5 [Fri Oct 25 11:45:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12b50	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10ba4	0x10c00	9aff27ecbadfeb0a78281dbd0f964ac3	False	0.6075093283582089	data	6.102940639221671	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x4ce	0x600	e91ee91db1d305f2e462e5d554e484de	False	0.37109375	data	3.713953333125255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	01a0961a443f53381b26bcd7ce5c031f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x244	data			0.46379310344827585
RT_MANIFEST	0x142e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-17T11:23:22.207179+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	53547	147.185.221.23	33942	TCP
2024-11-17T11:25:11.545747+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	53557	147.185.221.23	33942	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 11:22:14.306544065 CET	49777	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:14.312220097 CET	33942	49777	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:14.312386036 CET	49777	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:15.073494911 CET	49777	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:15.078383923 CET	33942	49777	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:22.797616959 CET	33942	49777	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:22.798100948 CET	49777	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:24.967272997 CET	49777	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:24.969521999 CET	49840	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:24.973479986 CET	33942	49777	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:24.975192070 CET	33942	49840	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:24.975347042 CET	49840	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:24.993285894 CET	49840	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:24.998255968 CET	33942	49840	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:33.460237980 CET	33942	49840	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:33.460366011 CET	49840	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:36.186054945 CET	49840	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:36.187156916 CET	53459	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:36.191185951 CET	33942	49840	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:36.192116976 CET	33942	53459	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:36.192315102 CET	53459	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:36.209115028 CET	53459	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:36.214206934 CET	33942	53459	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:44.674947977 CET	33942	53459	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:44.675018072 CET	53459	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:44.951504946 CET	53459	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:44.952296972 CET	53512	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:44.956341028 CET	33942	53459	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:44.957154036 CET	33942	53512	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:44.957340002 CET	53512	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:44.971877098 CET	53512	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:44.978244066 CET	33942	53512	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:53.439743996 CET	33942	53512	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:53.439832926 CET	53512	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:54.498514891 CET	53512	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:54.499336958 CET	53544	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:54.503464937 CET	33942	53512	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:54.504259109 CET	33942	53544	147.185.221.23	192.168.2.9
Nov 17, 2024 11:22:54.504379034 CET	53544	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:54.520925999 CET	53544	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:22:54.526011944 CET	33942	53544	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:02.996341944 CET	33942	53544	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:02.996432066 CET	53544	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:04.515600920 CET	53544	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:04.517309904 CET	53545	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:04.520653963 CET	33942	53544	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:04.522211075 CET	33942	53545	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:04.522367001 CET	53545	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:04.538077116 CET	53545	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:04.542916059 CET	33942	53545	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:12.998028040 CET	33942	53545	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:12.998163939 CET	53545	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:13.014098883 CET	53545	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:13.014861107 CET	53546	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:13.018970966 CET	33942	53545	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:13.019784927 CET	33942	53546	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:13.019857883 CET	53546	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:13.034872055 CET	53546	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:13.039777040 CET	33942	53546	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:21.494205952 CET	33942	53546	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:21.494492054 CET	53546	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.126723051 CET	53546	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.129563093 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.131582975 CET	33942	53546	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:22.134495020 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:22.134594917 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.182777882 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.187653065 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:22.207179070 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.212233067 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:22.358056068 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:22.362968922 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.576977968 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.581842899 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.592355967 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.597342014 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.623641968 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.628659964 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.639524937 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.644432068 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.670571089 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.675692081 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.795458078 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.800385952 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:27.810986996 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:27.815905094 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:30.618772984 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:30.619612932 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:32.826874971 CET	53547	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:32.829152107 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:32.831814051 CET	33942	53547	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:32.834110975 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:32.834897995 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:33.017402887 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:33.022316933 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:38.123615980 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:38.128537893 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:38.155030012 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:38.160152912 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:38.264146090 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:38.269020081 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:41.323755026 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:41.324130058 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.264122009 CET	53548	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.267472982 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.269105911 CET	33942	53548	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.272402048 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.275669098 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.529700994 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.534698963 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.561275959 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.566236019 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.592427969 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.597942114 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.607958078 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.612814903 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.670516014 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.675472975 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.686083078 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.691581964 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:43.717365026 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:43.722178936 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:44.014257908 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:44.019228935 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:47.328464985 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:47.333241940 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:51.763742924 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:51.763797998 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.779927015 CET	53549	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.781316042 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.784925938 CET	33942	53549	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:53.786175013 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:53.786242008 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.825335979 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.830122948 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:53.873945951 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.878819942 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:53.920471907 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.925339937 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:53.936451912 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:53.941561937 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.233510017 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.238495111 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.545475006 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.550364971 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.702117920 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.707250118 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.764657021 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.769531965 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.826818943 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.831809998 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.858330011 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.863378048 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.873650074 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.878570080 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.889199972 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.894131899 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.936228037 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.941097975 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.951832056 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.956717014 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:23:59.967616081 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:23:59.972687960 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:02.269627094 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:02.269707918 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:05.045398951 CET	53550	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:05.047297955 CET	53551	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:05.050743103 CET	33942	53550	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:05.052381039 CET	33942	53551	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:05.052449942 CET	53551	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:05.136365891 CET	53551	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:05.141376019 CET	33942	53551	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:13.533651114 CET	33942	53551	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:13.537636042 CET	53551	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:15.670459986 CET	53551	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:15.672044992 CET	53552	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:15.675632954 CET	33942	53551	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:15.676985025 CET	33942	53552	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:15.677109957 CET	53552	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:15.722461939 CET	53552	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:15.727488995 CET	33942	53552	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:21.780169964 CET	53552	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:21.785089016 CET	33942	53552	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:24.159003019 CET	33942	53552	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:24.159071922 CET	53552	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:25.964016914 CET	53552	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:25.964711905 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:25.969013929 CET	33942	53552	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:25.969554901 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:25.969636917 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:26.300514936 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:26.501384020 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:26.501452923 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:26.506464005 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:31.749497890 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:31.755470991 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:32.717514038 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:32.722439051 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:34.450038910 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:34.453638077 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:36.889271975 CET	53553	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:36.891885042 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:36.895294905 CET	33942	53553	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:36.897757053 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:36.897835970 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:36.935715914 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:36.940515995 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:36.951762915 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:36.956559896 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:36.998775005 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:37.004861116 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:41.045630932 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:41.050705910 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:45.384151936 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:45.384213924 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:47.092281103 CET	53554	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:47.094209909 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:47.097186089 CET	33942	53554	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:47.099025965 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:47.099132061 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:47.134474039 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:47.139398098 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:47.154920101 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:47.159801006 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:49.108102083 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:49.113042116 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:50.749135017 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:50.754084110 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:52.361615896 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:52.366554976 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:55.583954096 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:55.584022045 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.529876947 CET	53555	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.531627893 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.535051107 CET	33942	53555	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.536598921 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.536654949 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.569431067 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.574382067 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.623850107 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.628793001 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.655008078 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.659915924 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.670588970 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.675509930 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.689547062 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.694437981 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:57.889473915 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:57.894531965 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:58.092529058 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:58.098254919 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:24:58.373855114 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:24:58.378837109 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:02.780158997 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:02.785259008 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:02.795746088 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:02.800816059 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:02.999233961 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:03.004684925 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:03.030416965 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:03.035270929 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:03.061523914 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:03.066420078 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:03.139632940 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:03.144581079 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:06.012341022 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:06.012563944 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:08.186081886 CET	53556	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:08.187702894 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:08.191328049 CET	33942	53556	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:08.192740917 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:08.192835093 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:08.295337915 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:08.300652981 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:11.498830080 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:11.504075050 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:11.545747042 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:11.557959080 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:13.452063084 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:13.457226992 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:13.498850107 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:13.503858089 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:13.514416933 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:13.519345045 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:16.683743000 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:16.685674906 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.516273022 CET	53557	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.516289949 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.521374941 CET	33942	53557	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.521384954 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.521642923 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.737241983 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.742438078 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.811502934 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.816800117 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.842611074 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.847729921 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.858289957 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.863203049 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.889518023 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.894541025 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.920718908 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.925823927 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.967670918 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.972731113 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:18.983217955 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:18.988106966 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:26.952027082 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:26.957048893 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:27.007468939 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:27.007534981 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.030062914 CET	53558	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.032994986 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.041431904 CET	33942	53558	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:29.041456938 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:29.041528940 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.075578928 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.080528021 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:29.108345032 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.113346100 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:29.123936892 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:29.128817081 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:31.264502048 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:31.269673109 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:31.327081919 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:31.332017899 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:37.527848005 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:37.527918100 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:39.346354961 CET	53559	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:39.351402044 CET	33942	53559	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:39.363243103 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:39.368155003 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:39.368221045 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:39.498505116 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:39.503417969 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:44.109733105 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:44.114686012 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:45.249327898 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:45.592391968 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:46.036201954 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:46.036254883 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:47.859621048 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:47.860059977 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:50.561358929 CET	53560	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:50.562611103 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:50.566457987 CET	33942	53560	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:50.567605019 CET	33942	53561	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:50.567742109 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:50.805915117 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:50.810882092 CET	33942	53561	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:53.577394009 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:53.582565069 CET	33942	53561	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:58.967638016 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:25:58.972621918 CET	33942	53561	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:59.063052893 CET	33942	53561	147.185.221.23	192.168.2.9
Nov 17, 2024 11:25:59.063194036 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:01.299829960 CET	53561	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:01.304474115 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:01.304760933 CET	33942	53561	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:01.309297085 CET	33942	53562	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:01.309492111 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:01.356651068 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:01.361450911 CET	33942	53562	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:06.844228983 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:06.849297047 CET	33942	53562	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:09.452192068 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:09.457282066 CET	33942	53562	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:09.789185047 CET	33942	53562	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:09.789293051 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:14.451872110 CET	53562	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:14.452675104 CET	53563	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:14.456742048 CET	33942	53562	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:14.457515955 CET	33942	53563	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:14.457624912 CET	53563	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:14.506797075 CET	53563	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:14.512823105 CET	33942	53563	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:22.933558941 CET	33942	53563	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:22.933696985 CET	53563	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:30.452090979 CET	53563	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:30.452593088 CET	53564	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:30.457240105 CET	33942	53563	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:30.457595110 CET	33942	53564	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:30.457669020 CET	53564	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:30.470352888 CET	53564	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:30.475205898 CET	33942	53564	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:38.938853025 CET	33942	53564	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:38.941874981 CET	53564	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:39.593184948 CET	53564	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:39.593559980 CET	53565	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:39.598440886 CET	33942	53564	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:39.598509073 CET	33942	53565	147.185.221.23	192.168.2.9
Nov 17, 2024 11:26:39.598632097 CET	53565	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:39.609328985 CET	53565	33942	192.168.2.9	147.185.221.23
Nov 17, 2024 11:26:39.614455938 CET	33942	53565	147.185.221.23	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 11:22:34.974170923 CET	53	63285	162.159.36.2	192.168.2.9
Nov 17, 2024 11:22:35.638308048 CET	64155	53	192.168.2.9	1.1.1.1
Nov 17, 2024 11:22:35.688406944 CET	53	64155	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 17, 2024 11:22:35.638308048 CET	192.168.2.9	1.1.1.1	0x9694	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 17, 2024 11:22:01.179646015 CET	1.1.1.1	192.168.2.9	0xb03	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 17, 2024 11:22:01.179646015 CET	1.1.1.1	192.168.2.9	0xb03	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 17, 2024 11:22:35.688406944 CET	1.1.1.1	192.168.2.9	0x9694	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	05:22:03
Start date:	17/11/2024
Path:	C:\Users\user\Desktop\eternal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\eternal.exe"
Imagebase:	0xd30000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1344837200.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:22:08
Start date:	17/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x7ff70ea00000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:22:08
Start date:	17/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:22:10
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0x4a0000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 67%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:22:21
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0xdc0000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:22:29
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0xb00000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:23:01
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0xfd0000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:24:00
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0xc30000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:25:00
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0x9c0000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:26:00
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\XClient.exe
Imagebase:	0x150000
File size:	71'168 bytes
MD5 hash:	7439CC991A9A756C41153B8E9121BAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF887CF186D Relevance: 13.1, Strings: 10, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0DL, xrefs: 00007FF887CF1EAA
0DL, xrefs: 00007FF887CF1E59
6B, xrefs: 00007FF887CF1C4C
8ML, xrefs: 00007FF887CF1DB3
6B, xrefs: 00007FF887CF1B8F
CAO_^, xrefs: 00007FF887CF1921
6B, xrefs: 00007FF887CF1D78
0DL, xrefs: 00007FF887CF1DE9
"rB, xrefs: 00007FF887CF1BB3
6B, xrefs: 00007FF887CF1CDC

Memory Dump Source

Source File: 00000000.00000002.3798533512.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_eternal.jbxd

Similarity

API ID:
String ID: 6B$6B$6B$6B$"rB$0DL$0DL$0DL$8ML$CAO_^
API String ID: 0-295822469
Opcode ID: bedcde8625f8e4f77643bdd2d8954bcd5255e464ea994e66781873b3e74a711f
Instruction ID: 123d66fc37e22d7c80b6d1b89eeaafb68c451c381a492eb916fed0c641fa4da9
Opcode Fuzzy Hash: bedcde8625f8e4f77643bdd2d8954bcd5255e464ea994e66781873b3e74a711f
Instruction Fuzzy Hash: AB12B170B28A464BE798FB68C4657BD73E2FF98780F540579D40EC3296DE6CA8418742

Function 00007FF887CF2059 Relevance: 1.4, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF887CF2122

Memory Dump Source

Source File: 00000000.00000002.3798533512.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_eternal.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 53b326d6a81ca391c3f443de1d05a0438a1c70b69c4d87ab89f2608d09d2a6f2
Instruction ID: 8315a83aa213787ac9ac32c43d8430bc69642341218a517111858a0731aba69e
Opcode Fuzzy Hash: 53b326d6a81ca391c3f443de1d05a0438a1c70b69c4d87ab89f2608d09d2a6f2
Instruction Fuzzy Hash: 6F510221A5D6C55FD796AB7898243797FE1EF8B255B0800FBE08DC71E3DE485846C342

Function 00007FF887CF9626 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3798533512.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_eternal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d8e464a121b93f0b97881bc8da6a542069f31e442d3cf273af0251142c853f
Instruction ID: 0ef0cef5f2d5a71e08bd8488747e0b130ad591b033d17611b35f5bd466d56059
Opcode Fuzzy Hash: 46d8e464a121b93f0b97881bc8da6a542069f31e442d3cf273af0251142c853f
Instruction Fuzzy Hash: E1F19230908A4D8FEFA8DF28D8557E977E2FF64350F04426AE84DC7291CB789945CB82

Function 00007FF887CFA3D2 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3798533512.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_eternal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f49dc37a2f4c75331fc697c441988c3a245528f00a8c8e5ae77a3432b69896
Instruction ID: d1d6b0a6e0153765cc7297cbfec61ac4d2fc5668636845c04b8b82111ee9636b
Opcode Fuzzy Hash: c3f49dc37a2f4c75331fc697c441988c3a245528f00a8c8e5ae77a3432b69896
Instruction Fuzzy Hash: 3CE19230908A4E8FEBA8DF28D8557ED77E2FF55350F14426AD84DC7291CB78A845CB82

Function 00007FF887CF3408 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF887CF34D1

Memory Dump Source

Source File: 00000000.00000002.3798533512.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_eternal.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 976b1e18698037411fd0b6975edd15435279c2d12c7aa68868635eba5c0e7498
Instruction ID: 976ba2047feb750d2d9005b6f3f40aa9775b82f06581ce4cc9f6fec105ab4953
Opcode Fuzzy Hash: 976b1e18698037411fd0b6975edd15435279c2d12c7aa68868635eba5c0e7498
Instruction Fuzzy Hash: 3D41F43190CA595FDB18EB58D8466FDBBE1EB59321F00423ED00DC3292CA64A802C7C1

Function 00007FF887CF2EF8 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF887CF2FB2

Memory Dump Source

Source File: 00000000.00000002.3798533512.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887cf0000_eternal.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 0b014220ba697238806eb13b787266d0e669c1085b1fe09ecf0cf782a95e5e1b
Instruction ID: 04c26fbd13e8e472cbfab22d5fcef018e9b52ba2b69da948d06900d7ad6fd18d
Opcode Fuzzy Hash: 0b014220ba697238806eb13b787266d0e669c1085b1fe09ecf0cf782a95e5e1b
Instruction Fuzzy Hash: 5D31FF3180CA588FDB28DB98D8456FDBBF1FF65311F04412EE08AC3282CB74A846CB91

Analysis Process: XClient.exePID: 5552, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887CF2059 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CF2122

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 97b7fd3d35d4c764d0fc8c548d2fad54122c6ae1abaf9ccb000a68e233fbd739
Instruction ID: d085937366e4fe9f184abddc9d7dfb7fe37cebfdf06686834c74dd5076a74501
Opcode Fuzzy Hash: 97b7fd3d35d4c764d0fc8c548d2fad54122c6ae1abaf9ccb000a68e233fbd739
Instruction Fuzzy Hash: 6C510321A5D6C55FD796AB78A8243797FE1EF8B255B0800FBE08DC71E3DE485846C342

Function 00007FF887CF0C3E Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41815d5a5a6354fbe8c946684c49c4f01e6dc15697fb62f94984b44d9b473eb9
Instruction ID: 8b85f29585f35264e654e8ec3a17e30bd216e7632b5fefffea55a70671a4fa2f
Opcode Fuzzy Hash: 41815d5a5a6354fbe8c946684c49c4f01e6dc15697fb62f94984b44d9b473eb9
Instruction Fuzzy Hash: 14D10432A0D6960BE316B7BCE4512ED3BA1EF857B570801BBD49CCB193DD0C68878396

Function 00007FF887CF0540 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CF2122

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 56548e8f56ccdde18306fd7c7383ee9e2bd5e00a4f63ac9cd5f30fe2e4894abf
Instruction ID: 49ee89197124c0bbb3943fe0d534324eaa763105082cdd039993fa68b8519de1
Opcode Fuzzy Hash: 56548e8f56ccdde18306fd7c7383ee9e2bd5e00a4f63ac9cd5f30fe2e4894abf
Instruction Fuzzy Hash: D931A421F189495FE798AB6C986A37DA6D2EF9C751F0405BEE00EC32E3DE689C418341

Function 00007FF887CF0AD1 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887CF0B02

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: 48e25c9b3af187b7c3effbf8c4943fa6790c725f6a6f0341a8e51a55810c7bc8
Instruction ID: bdb5a686ed5ebcb3aa8bcfa19288e5c92a12b805ee3bf8dff60c494c223f19a8
Opcode Fuzzy Hash: 48e25c9b3af187b7c3effbf8c4943fa6790c725f6a6f0341a8e51a55810c7bc8
Instruction Fuzzy Hash: 5F316221F18A494FE784B7AC98593BC77E2FF98B51F040277E41DC7292DE6C98428752

Function 00007FF887CF0985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887CF09C0

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: e9dd20512da6dc77357731a97f4460272d05dbe98d7fe17fbe13144f2f955053
Instruction ID: 12cdb3dceab8a95236bda3db1c7f599eeaad4971a72b0b0c8ed07438d47ddd0d
Opcode Fuzzy Hash: e9dd20512da6dc77357731a97f4460272d05dbe98d7fe17fbe13144f2f955053
Instruction Fuzzy Hash: 2A31A230E18A098FEB48EBA8C4657FDB7B2FF98340F900579D009D3282DE386941C741

Function 00007FF887CF2211 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887CF223D

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 03bcdd7780585c189f08474328a014b3d192935c33f82664b2a18f2ea7607a05
Instruction ID: 19f69190360113c3f7b5cc5f623c3cd5847b37733bd929737e7dd78e30426fe3
Opcode Fuzzy Hash: 03bcdd7780585c189f08474328a014b3d192935c33f82664b2a18f2ea7607a05
Instruction Fuzzy Hash: B201246090D6810FE786A238AC5197D7FF1EF912A0B0804BBE489C71E7D958A986C353

Function 00007FF887CF1185 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938d9fa83c8e48ac7a27bbceadc13139846765398b0f9f85e71c502bda52d7cf
Instruction ID: 0e97fbfdf9b50ff04bea5569a9d77d4b89564ec86a638874513f9cd3df9ddf94
Opcode Fuzzy Hash: 938d9fa83c8e48ac7a27bbceadc13139846765398b0f9f85e71c502bda52d7cf
Instruction Fuzzy Hash: D031D272E08B8A4FE705DB68D8A51ED7BB2FF85350B4501B7C049DB1D3DE286846C791

Function 00007FF887CF11F8 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f59af71041311ec84ee57e051cf51270049ba535a7141d205b09e11600eba8
Instruction ID: 18da94a7d2689032165efd1441b7312ff6436b644cd03d09db1fdd01d9aad856
Opcode Fuzzy Hash: e5f59af71041311ec84ee57e051cf51270049ba535a7141d205b09e11600eba8
Instruction Fuzzy Hash: 3921B062D58A8A5FE745D768C8A51FD7BB2FF85390F8440B6C00AD72E3DE6868068781

Function 00007FF887CF16C9 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c6b8a82c67f89e35fef3d05ece9e3c22b8a26015af8bbf7b8c48cdb541491b
Instruction ID: 5ebb1848bf60f271ee0aec44bf12492acd2c44859ded26100272b6760a601dea
Opcode Fuzzy Hash: 85c6b8a82c67f89e35fef3d05ece9e3c22b8a26015af8bbf7b8c48cdb541491b
Instruction Fuzzy Hash: EB516674B58A494FDB58BB78D4696BE7BB2FF48340B910479E01ED72C2DE389841C701

Function 00007FF887CF083D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1464788503.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ccc9dff574d80ddd69d4716af11d09ea43a82c7d0bc7c1c3a141542e78d131
Instruction ID: 17f02bcab447988b569512d7b4a7d07879e777811d8af2e076eb9c5885f5b7dc
Opcode Fuzzy Hash: c5ccc9dff574d80ddd69d4716af11d09ea43a82c7d0bc7c1c3a141542e78d131
Instruction Fuzzy Hash: 1B31D471A4864A4FDB44EB58D4646BEBF73FF88340BD145B6D019C338ACE386905CB42

Analysis Process: XClient.exePID: 3376, Parent PID: 3504COMMON

Executed Functions

Function 00007FF887CE2059 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CE2122

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 7cd89538322d4db89ec117d2537578630758f79d8dafdaee3d80247aeb908fd4
Instruction ID: 209de1153675e1650278c5a6a7bca5eda815bddad4474853f1852d29139311aa
Opcode Fuzzy Hash: 7cd89538322d4db89ec117d2537578630758f79d8dafdaee3d80247aeb908fd4
Instruction Fuzzy Hash: AD511321A5DAC54FD796A77898653797FE1EF8B255B0800FAE08DC71D3DE0C4846C342

Function 00007FF887CE0540 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CE2122

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 6a9c115d8f37162b1667194f17ddbf7107554bb7ec7d1d3556ddebf11b032ff2
Instruction ID: 9e446c6d10463cb2559400e28308bce9d5ab99ca1cad3f88c87a15ca07c1c258
Opcode Fuzzy Hash: 6a9c115d8f37162b1667194f17ddbf7107554bb7ec7d1d3556ddebf11b032ff2
Instruction Fuzzy Hash: D9319121B1C9495FE798AA6C986A37DA6D2EF9C751F0405BEE00EC32E3DE689C418341

Function 00007FF887CE0AD1 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887CE0B02

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: bb31c88ad0323661c5d8af301f212feaa64b693e8f60ece40e881c92dada7230
Instruction ID: 270ce1836cad3314ba884c9865ae76ff8e89e9018d98dcd61c2bc3f4211e2340
Opcode Fuzzy Hash: bb31c88ad0323661c5d8af301f212feaa64b693e8f60ece40e881c92dada7230
Instruction Fuzzy Hash: 1C319122F18A494FF784B7A898593BD77E2FB98751F140277E41DC3292DE2C58428392

Function 00007FF887CE0985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887CE09C0

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: 89155b1baebe0a39f50513da4b4032b8ca4eee4c2a90e7696a2ccf059764a020
Instruction ID: 6ac62dbf0f74e02b095536e68a1648a9e5390b28de57e49795757957cbbac98a
Opcode Fuzzy Hash: 89155b1baebe0a39f50513da4b4032b8ca4eee4c2a90e7696a2ccf059764a020
Instruction Fuzzy Hash: 6C316331E18A0D8FEB48EBA8C4657AD77B2FF98340F5445B5D019D7286CD3C6841CB52

Function 00007FF887CE2211 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887CE223D

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 2b8194063c00e4c06682c086e20ec2e667053700c7a4e26e184daad8912e9c17
Instruction ID: 46c82b5778a8bf4fb5853d51c896a119613121c408f154ce04c7ecb957317f82
Opcode Fuzzy Hash: 2b8194063c00e4c06682c086e20ec2e667053700c7a4e26e184daad8912e9c17
Instruction Fuzzy Hash: 06012812D0CAC14FE742A338D851A793FF2EF912A0B0804B7D488C70E7DD089981C393

Function 00007FF887CE0C3E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531f372d6f7a8a944e905540fa4d86f31edb72121061a1a4dad0a0608c484a80
Instruction ID: 163ad7360841f55666ed7e8cc85e5099905a3089b596877372233e48b464e152
Opcode Fuzzy Hash: 531f372d6f7a8a944e905540fa4d86f31edb72121061a1a4dad0a0608c484a80
Instruction Fuzzy Hash: 85510721A0D6C60FE357A778D8656B97BE2EF86650B1900FAD08DCB193DD1CAC46C353

Function 00007FF887CE16C9 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e811d2fac7e723d0dd3fa5acc2ddadcbe8b89ccc6018d7007d97c65bbd19aee1
Instruction ID: 56ef7d236e2a4cdb20bc49859f20a5404ef34f305ae0437c3da85bae9e23a235
Opcode Fuzzy Hash: e811d2fac7e723d0dd3fa5acc2ddadcbe8b89ccc6018d7007d97c65bbd19aee1
Instruction Fuzzy Hash: 6F517335A58A498FDB98B7B8C4696EDB7E3FF54340B9004B9E40ED7286DE3C9800CB55

Function 00007FF887CE083D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ec502d82fbdf80b5fcae60f1b9a9cda3e7d5e0da3c04c6db38728b097d739e
Instruction ID: cd6eb8c2f72054e94192a3e9cc340d26de03a6fab9a52c45b7c6667b38f289b6
Opcode Fuzzy Hash: 83ec502d82fbdf80b5fcae60f1b9a9cda3e7d5e0da3c04c6db38728b097d739e
Instruction Fuzzy Hash: 7931D624A086498FD789EB5CC0945ADBB63FF94344BA440E6D418D339FCE2C9905CB96

Function 00007FF887CE15E2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1554575130.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8185a2d5df916542ead752c4d8929df6aedaabed601296600c2b56aa240c3f2a
Instruction ID: 9d67013be1eff31ffdd53e7d8b31232eadf694f766e6aecbcb76af9db593b8d5
Opcode Fuzzy Hash: 8185a2d5df916542ead752c4d8929df6aedaabed601296600c2b56aa240c3f2a
Instruction Fuzzy Hash: E9D05E62D64A0F8BE784E798C8A52FEA3B2FF44380B408075C01DD31DACD3828008641

Analysis Process: XClient.exePID: 2052, Parent PID: 3504COMMON

Executed Functions

Function 00007FF887CF2059 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CF2122

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 895d9ff0392c2220efc7b87fe4f63bd78f213a364df60c05a541c89df434048c
Instruction ID: 362d2bb09615d4a9b2527e731cd59797df3e8223b5123604bb438f227f7a2f1a
Opcode Fuzzy Hash: 895d9ff0392c2220efc7b87fe4f63bd78f213a364df60c05a541c89df434048c
Instruction Fuzzy Hash: 8E510321A5DAC55FD796AB78A8243797FE1EF8B255B0800FBE08DC71E3DE485846C342

Function 00007FF887CF0C3E Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcd54413aaf5c5c0f563c3186aa6ff904d087664554c59d5306e22df40040bd
Instruction ID: 8e881aab136c41b446e7fdb2347923add5209665290c9c966f2722d01c3dcd96
Opcode Fuzzy Hash: 4dcd54413aaf5c5c0f563c3186aa6ff904d087664554c59d5306e22df40040bd
Instruction Fuzzy Hash: 71D10432A0D6960BE316B7BCE4512ED3BA1EF857B570801BBD49CCB193DD0C68878396

Function 00007FF887CF0540 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CF2122

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 3f2f580c052e0a6759f0880f31414ab71c28f1e4e42bee63069ecb50e6d9846b
Instruction ID: b5f9af3d8ee0ca3a0b51b98599f99bf35889db55d80b2b30195b32ac579437ff
Opcode Fuzzy Hash: 3f2f580c052e0a6759f0880f31414ab71c28f1e4e42bee63069ecb50e6d9846b
Instruction Fuzzy Hash: D531A421F189495FE798AB6C986A37DA7D2EF9C751F4405BEE00EC32E3DE689C418341

Function 00007FF887CF0AD1 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887CF0B02

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: 48e25c9b3af187b7c3effbf8c4943fa6790c725f6a6f0341a8e51a55810c7bc8
Instruction ID: bdb5a686ed5ebcb3aa8bcfa19288e5c92a12b805ee3bf8dff60c494c223f19a8
Opcode Fuzzy Hash: 48e25c9b3af187b7c3effbf8c4943fa6790c725f6a6f0341a8e51a55810c7bc8
Instruction Fuzzy Hash: 5F316221F18A494FE784B7AC98593BC77E2FF98B51F040277E41DC7292DE6C98428752

Function 00007FF887CF0985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887CF09C0

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: 1961194340801dbb6cde39a92211406742a1c4208e8ed8246a2368fa1ac41d5c
Instruction ID: 8772f1d5e21f2db3078f7045dc79b556a921ba09a19446efeef3f81861e938fd
Opcode Fuzzy Hash: 1961194340801dbb6cde39a92211406742a1c4208e8ed8246a2368fa1ac41d5c
Instruction Fuzzy Hash: 4531B230E18A0D8FEB84EBA8C4657EDB7B2FF88341F904479D009D3282CE386841CB42

Function 00007FF887CF2211 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887CF223D

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 51ce7e4b208976df22da4949214accc9526840f3ab9f59b3f7d7f206a526006e
Instruction ID: 23cffa35428439367b5f90b710928d591acf25c065ba2eb94ca395ffe8c026db
Opcode Fuzzy Hash: 51ce7e4b208976df22da4949214accc9526840f3ab9f59b3f7d7f206a526006e
Instruction Fuzzy Hash: ED01286494DB850FE742A238AC5157D7FF1EF912A0B0804BBE488C71E7D9589986C353

Function 00007FF887CF1185 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19632b93a54a325dc0cc874f41e1ac4308ea84691324b68c50ae4020843a26bc
Instruction ID: 527a7d83edcd7e29b9b7d7c03d1ee4eb2d71d5af752085c704dfd3a8da739687
Opcode Fuzzy Hash: 19632b93a54a325dc0cc874f41e1ac4308ea84691324b68c50ae4020843a26bc
Instruction Fuzzy Hash: 1031BF72E0CB9A4FE7019B68D8A41ED7BB2FF85350B4501B7C049DB2D3DE2868468791

Function 00007FF887CF11F8 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1265897883039c9aa04309fc2859e35951ca3089ae64f87a9707d4adcc74c522
Instruction ID: ec24455671913fb9ef8de116e1bd2cfc022d9a65693ecbd02ad8c9c1c2e6d9e7
Opcode Fuzzy Hash: 1265897883039c9aa04309fc2859e35951ca3089ae64f87a9707d4adcc74c522
Instruction Fuzzy Hash: 7D21AE62D5CB9A5FE7459668C8A41ED7BB2FF85380F8440B6C00AD72E3DE6868068781

Function 00007FF887CF16C9 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21112edf249238f7fb1aa6b3406fbe11c5eec981d695b9e3880a967c2f998b2e
Instruction ID: 5bb1e3dd560d81d9764a3ad2a2c91da759048ff7631d83f0a9b0120ce606f63e
Opcode Fuzzy Hash: 21112edf249238f7fb1aa6b3406fbe11c5eec981d695b9e3880a967c2f998b2e
Instruction Fuzzy Hash: 92515F64A68E0D4FDB98AB78D4697ADBBA2FF85340BD10479E41ED72C2DE289841C701

Function 00007FF887CF083D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1635864765.00007FF887CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff887cf0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d08be60421be1cb5c19370a95e96ddc50496f8d605355863f89b51e89102a4
Instruction ID: 4b0ecef6423f13eea4cad4c449150e216d1b711c480bd08bf36dfa6bff8a2fec
Opcode Fuzzy Hash: f4d08be60421be1cb5c19370a95e96ddc50496f8d605355863f89b51e89102a4
Instruction Fuzzy Hash: B431D475A48E8E4FD784EB58D4646ADBF72FF84340BD045B6D418C33CACE286905CB52

Analysis Process: XClient.exePID: 4436, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887D12059 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D12122

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 175d40a54ba4b501b0ec8b90f2dc7c62b6269c042e5a807a1a24aa08e5208c13
Instruction ID: 918750a216f6988b3fbf9223cf46eb100688f8887b40a03ba432f32927f48f41
Opcode Fuzzy Hash: 175d40a54ba4b501b0ec8b90f2dc7c62b6269c042e5a807a1a24aa08e5208c13
Instruction Fuzzy Hash: C7513320B1D6C59FD796AB785825279BFE0EF87255B0802FAE08EC3193DD0C5846C352

Function 00007FF887D10C3E Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24c837a283fdf993d8b46a79cf394f0fca72f2b34591d55b9c4db51678d2b50
Instruction ID: 517c757ac2c4d5281cccb5136a330c91a18bf773c43ba2209a612b11984fcbd0
Opcode Fuzzy Hash: a24c837a283fdf993d8b46a79cf394f0fca72f2b34591d55b9c4db51678d2b50
Instruction Fuzzy Hash: F4D11B32A0D6964AF317B7BCA4552FD7BE0EF453A470842BBE49DCB093DC0C68468356

Function 00007FF887D10540 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D12122

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: c63777c64a2d856f1510f7a12a8c244d81516d40f83265a2ba46ca4f98d256bc
Instruction ID: 6a1010ccb7c53875c158b8781eec754c9bd6c28050a17c7be0be0b9d3163a05a
Opcode Fuzzy Hash: c63777c64a2d856f1510f7a12a8c244d81516d40f83265a2ba46ca4f98d256bc
Instruction Fuzzy Hash: 8031A621F189495FE698EB6C986A379B7D2EF99751F0406BEE00EC3293DD68AC418341

Function 00007FF887D10AD1 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887D10B02

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: c890d2269fab8dfa5895c1a8bbfa1012eb8c10270df36bacba8f6cfd454821aa
Instruction ID: a6f29e872fa73e6e425f7a2c7dd0b1449ad3bb760652f3adcdbb15629ce3e7a6
Opcode Fuzzy Hash: c890d2269fab8dfa5895c1a8bbfa1012eb8c10270df36bacba8f6cfd454821aa
Instruction Fuzzy Hash: F1319221F18A4A4FE784B7AC98593BDB7E1FB98751F0403B7E41DC3296DE2C68428752

Function 00007FF887D10985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887D109C0

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: 05bd33764a74aa340001c5e61e3c3f6ebfadcc437990787ab62724a832146167
Instruction ID: 1482445d6b6dbaf5168048ba1bad26dd21d0ebc2920b8b26634b2e0fe99ba5cb
Opcode Fuzzy Hash: 05bd33764a74aa340001c5e61e3c3f6ebfadcc437990787ab62724a832146167
Instruction Fuzzy Hash: 5E314F30A18A0D8FEB44FBA8C4657ADB7F2FF98341F544579D019D7686CE38A841CB51

Function 00007FF887D12211 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887D1223D

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: ccc6bdddc062def22e9a0588c45111c8eb5ad36bdbeed905e606e0b387d372d6
Instruction ID: 8954b651e4ea059d618cd5f2467f5ea5b360edcc995c44b4e24c13f8a6eb3048
Opcode Fuzzy Hash: ccc6bdddc062def22e9a0588c45111c8eb5ad36bdbeed905e606e0b387d372d6
Instruction Fuzzy Hash: E7012420A0C6858FE745A738580597ABFF0EF96391B0405F7E889C209BE918A981C3A3

Function 00007FF887D11185 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff0ffa03226990acce52c250a4c7fc97e179178d0a35ce995ddff0806f4fa96
Instruction ID: 8da6a880021cc7fcb90a0e6f4cc4b5c8c37b9fc5a5478e516873670d0ebd648d
Opcode Fuzzy Hash: 3ff0ffa03226990acce52c250a4c7fc97e179178d0a35ce995ddff0806f4fa96
Instruction Fuzzy Hash: DC31E022E0978A5FE742E76C98A41EDBBF1FF42350B0502B3C44AC7197DE29284687A1

Function 00007FF887D111F8 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d648d3840f92791a2922c76fc056433cce72c88324e4c4e6c712ad70b627ef70
Instruction ID: a8fd89d4786703fca6a955a4eac30f7a75e9afe46166ab527043a32c31bee45e
Opcode Fuzzy Hash: d648d3840f92791a2922c76fc056433cce72c88324e4c4e6c712ad70b627ef70
Instruction Fuzzy Hash: AE21B021E59A8A6FE745A768C8641EDFBF1FF45380F4542B6C04AD31D7CE292841C7A1

Function 00007FF887D116C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19cd5240020b8462adca676686b19d5b52a31282152307f1ad3b94316bfb734
Instruction ID: 41bf70f41577860f4b5ae8ee0f7eeb9ef1eb71c86bb0e990338797541416ca7f
Opcode Fuzzy Hash: c19cd5240020b8462adca676686b19d5b52a31282152307f1ad3b94316bfb734
Instruction Fuzzy Hash: 40515330A1860D8FDB54B778846D6AEF6F2FF88341B904579E05ED7686EE3C9800C711

Function 00007FF887D1083D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1955123167.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b73872933059c611e7af5cda6e391c40fdf37d9363827a3c4addc6d4933e8e
Instruction ID: b60397ca2c02c1a93e4d3a5ef86f9af597f091d9bc07de21fdd49159fa1bcb46
Opcode Fuzzy Hash: 53b73872933059c611e7af5cda6e391c40fdf37d9363827a3c4addc6d4933e8e
Instruction Fuzzy Hash: B531A720A4C64D8FD784FB5CC4556ADFBB2FF84344B9481B6D15AC3B8ACE6C5844CB52

Analysis Process: XClient.exePID: 5852, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887CE2059 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CE2122

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 7fff31324adb87e5172ecd83eb1edae46bf7d224e8564ab702bec898aaa7672d
Instruction ID: 66c8354e876cd9cb13313f8f434cd987ef6c1ee184dbee61215e05993b32e7eb
Opcode Fuzzy Hash: 7fff31324adb87e5172ecd83eb1edae46bf7d224e8564ab702bec898aaa7672d
Instruction Fuzzy Hash: C9511321A5DAC94FD796A77898253797FE1EF8B255B0800FAE08DC71D3DE084846C342

Function 00007FF887CE0540 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887CE2122

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 1b903b7b5c11eb7ae144d8a201734eca52a08e3d6c338ceb0983df00af2f496c
Instruction ID: 9152c01f2e2dfdc4fc2ffe9b7fb6c39ec34173ba4312b6b1b6912ad3c753d9bf
Opcode Fuzzy Hash: 1b903b7b5c11eb7ae144d8a201734eca52a08e3d6c338ceb0983df00af2f496c
Instruction Fuzzy Hash: 9C319121B1C9495FE798AA6C986A37DA6D2EF9C751F0405BEE00EC32E3DE689C418341

Function 00007FF887CE0AD1 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887CE0B02

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: bb31c88ad0323661c5d8af301f212feaa64b693e8f60ece40e881c92dada7230
Instruction ID: 270ce1836cad3314ba884c9865ae76ff8e89e9018d98dcd61c2bc3f4211e2340
Opcode Fuzzy Hash: bb31c88ad0323661c5d8af301f212feaa64b693e8f60ece40e881c92dada7230
Instruction Fuzzy Hash: 1C319122F18A494FF784B7A898593BD77E2FB98751F140277E41DC3292DE2C58428392

Function 00007FF887CE0985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887CE09C0

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: 635156a538c461caaa1b39b71c9b5cec9a309640c36ca12de5d52507763e0213
Instruction ID: d0573fea7920aac904bc8d43ae7f045017934e3b91d345c0e859b546ac801af5
Opcode Fuzzy Hash: 635156a538c461caaa1b39b71c9b5cec9a309640c36ca12de5d52507763e0213
Instruction Fuzzy Hash: 5831A071E18A0D8FEB44EBA8D4657EDB7B2FF98341F544579D019D3282CE38A841CB42

Function 00007FF887CE2211 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887CE223D

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 73f8f112f65342dbbb828c5d576e07ba1c87e942742c565b815320db7adf4444
Instruction ID: bc95dbb50b81e9bf54caa9ff86d876b8c78864990786facef2ab41204d70d28d
Opcode Fuzzy Hash: 73f8f112f65342dbbb828c5d576e07ba1c87e942742c565b815320db7adf4444
Instruction Fuzzy Hash: C501F51294CA810FE742A238D8556797FB1EB913A0B0804BAD488C70E7D9089981C393

Function 00007FF887CE0C3E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2645a3c8ed831349bd12b2f6e1d29cee818b9ebcb66638b88d36fc1fb75a245
Instruction ID: 7393f98cf610a6265d5ae449e9261eda7b0b49258eec8ec281e1a0a5a20b9019
Opcode Fuzzy Hash: f2645a3c8ed831349bd12b2f6e1d29cee818b9ebcb66638b88d36fc1fb75a245
Instruction Fuzzy Hash: CC512721A0DAC60FE357A778D8652B97BE2EF86650B1900FAD08DCB193CD1CAC46C353

Function 00007FF887CE16C9 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95ab9106dc9232ee1aeeb1932fc9e60d9954115af535b9af07db34a54ec51cb
Instruction ID: 37a88e12b5e49d453fc9b80d0fd24d995a048fb0471ff6c63ccd39321ee5e25b
Opcode Fuzzy Hash: f95ab9106dc9232ee1aeeb1932fc9e60d9954115af535b9af07db34a54ec51cb
Instruction Fuzzy Hash: 70517E75A68A4D4FDB94B7B8D46D6ADBAA2FF84340F900479E40ED7282DE389800CB41

Function 00007FF887CE083D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d893f4e0feb259b300a5ecc69d8be44dceef039dd44f7d68b4934995f2bf2b6
Instruction ID: dea13b93b7249de5faaa4cd155bbcb1929fe45433ca06b98500f1a243183fcd4
Opcode Fuzzy Hash: 6d893f4e0feb259b300a5ecc69d8be44dceef039dd44f7d68b4934995f2bf2b6
Instruction Fuzzy Hash: CB31B665A4864D4FD744EB68D099AADBF72FF84340F9444BAD518C338ACE285905CF92

Function 00007FF887CE15E2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2546681336.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff887ce0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f7512b93e6c15ba112b112198fae1212b4d4b5cff7a4a8dcae8c61f1034f5a
Instruction ID: 39c3e9823e901cdab905cbca7e6c35b760f0e2ba165a7031359af5727a785f04
Opcode Fuzzy Hash: 40f7512b93e6c15ba112b112198fae1212b4d4b5cff7a4a8dcae8c61f1034f5a
Instruction Fuzzy Hash: B0D05E62D64B2F8BE784E798D8652FEA7B2FF44381F448079C01DD31D6CD3828008641

Analysis Process: XClient.exePID: 5984, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887D02059 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D02122

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 7d362562534ba4f1fa390a89f27946c7e6c1a3ddd9798b1a6fe2f70fe4f73816
Instruction ID: 65b0c8c170fa5435cac5ba566e37d60061e2716e6b373d674136d5aa3d2d486d
Opcode Fuzzy Hash: 7d362562534ba4f1fa390a89f27946c7e6c1a3ddd9798b1a6fe2f70fe4f73816
Instruction Fuzzy Hash: 90512320A5E6C59FD796AB78586537ABFE0EF8B255B0801FAE08EC31D3DD085846C342

Function 00007FF887D00C3E Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4241980cad5cf09bd027c29d35102bcb35165b61e9615d7cef898f70a7168be
Instruction ID: 2cb55e08aa668e818a2dc88070ecdbadfebeca1c055432a1a30ac85c1fcb73e5
Opcode Fuzzy Hash: d4241980cad5cf09bd027c29d35102bcb35165b61e9615d7cef898f70a7168be
Instruction Fuzzy Hash: 27D10522A0D6960AE317B7BCA8552FD7BA0EF863B570801BBD59DCB093DD0C6447C396

Function 00007FF887D00540 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D02122

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: f210a86224b00196a6aac3017530f00db844b35fac0a8880bfaf039c092a24cf
Instruction ID: d3dc1d69f318c2e22a68d2daabac214cb23d8ccfcbe97f2de3550e9a982b932f
Opcode Fuzzy Hash: f210a86224b00196a6aac3017530f00db844b35fac0a8880bfaf039c092a24cf
Instruction Fuzzy Hash: CC31A621F189485FE698AB6C986A379A6D2FF9C751F4405BEE00EC3297DD68AC418342

Function 00007FF887D00AD1 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887D00B02

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: 5a4189686fac618c6c84e2a63d4ddf8fd1a49e4c565da8f9bea8edfd21f9d446
Instruction ID: c1a1e3d9731d3f63dbdb49d2352dee60760b7c75d66c75fce119848a34572edf
Opcode Fuzzy Hash: 5a4189686fac618c6c84e2a63d4ddf8fd1a49e4c565da8f9bea8edfd21f9d446
Instruction Fuzzy Hash: F231B221F18A495FE784B7AC98193FD77E2FB98791F040277E41DC3296DE2C58428792

Function 00007FF887D00985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887D009C0

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: a85918ab2f52bb8049e7ed496e319496965867a865517ec719e129a97c992f40
Instruction ID: 3ea330192ee86022fd1ed02f9d15b2636fd25613c66c879c09716a714368ab60
Opcode Fuzzy Hash: a85918ab2f52bb8049e7ed496e319496965867a865517ec719e129a97c992f40
Instruction Fuzzy Hash: 96319370E18A098FEB44FBA8D4657EDB7B2FF98340F944579D019D7286CE386841CB42

Function 00007FF887D02211 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887D0223D

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: f479875c7a185a6fe1efeaedcd812cb4da7464ab2e9f015856c0e55681ee77ff
Instruction ID: 9b8fd5deacf1e968e8489478148009b85dccf36423283358955e947056785718
Opcode Fuzzy Hash: f479875c7a185a6fe1efeaedcd812cb4da7464ab2e9f015856c0e55681ee77ff
Instruction Fuzzy Hash: 52012B20D0D6815FE785A77868159797FF0EF96390B4805B7E48DC60DBDC1CA985C393

Function 00007FF887D01185 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a1612d53476637c5112f087e6029b8d0a8ea61f9f37607d909f5a2431a84a3
Instruction ID: 3e981e2df8fc6ebfedab782e0b2ce88ff9905b843041e2ff1b2fd1d4ff6c59f4
Opcode Fuzzy Hash: 99a1612d53476637c5112f087e6029b8d0a8ea61f9f37607d909f5a2431a84a3
Instruction Fuzzy Hash: EC31D232E087469FE706EB68C8A56ED7BB1FF45390B0502B7D04AD71D7CE28280AC791

Function 00007FF887D011F8 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbfb0f94e2b933bce0295e6acac2fb1408e7c315db7d78432a618ce5a241263
Instruction ID: 25a63c21b6ed3a2b22f5e2a81de36b1572a3f8fdc59b5a1d14bf553da4a6778c
Opcode Fuzzy Hash: 7fbfb0f94e2b933bce0295e6acac2fb1408e7c315db7d78432a618ce5a241263
Instruction Fuzzy Hash: 6F21F132D48A4A9FEB45E768CC655EDBBB2FF45380F4452B6C00AC71D7CE282805C791

Function 00007FF887D016C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4bade43b4c06713d64fd3e05f753a3321ba3653d65cf3e7db5f048b9b612c7
Instruction ID: 2ddf904de5088d3c4160d01aea844eaeba591850b5ceaa6256754510730880b9
Opcode Fuzzy Hash: ff4bade43b4c06713d64fd3e05f753a3321ba3653d65cf3e7db5f048b9b612c7
Instruction Fuzzy Hash: A2518274B546095FDB94BB78946DABDBAF2FF88340B940479E01ED72C6DE38A800C701

Function 00007FF887D0083D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3151931888.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff887d00000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3395221d04a8beefd1b84232a04136e24e8b897e052b3b389e4a8f8bdab3ca
Instruction ID: 7be49fac3a7d34f6ad4420296ad9bac2e3de39db644de40aea5b599f115e150b
Opcode Fuzzy Hash: 1a3395221d04a8beefd1b84232a04136e24e8b897e052b3b389e4a8f8bdab3ca
Instruction Fuzzy Hash: 7231C861A486494FD744FB98D4A96ADBF72FF84340BD485B6D019C738ACE38A944CB82

Analysis Process: XClient.exePID: 3668, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887D12059 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D12122

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 5f14ffbb120c8e4d5b889e3a7f23d8c7262739ce65d74fb8a95ed6d5bff523ff
Instruction ID: e34ba73401a88e9183dab0a102493cc8ae6efc21347b4a82593b7d325f83d682
Opcode Fuzzy Hash: 5f14ffbb120c8e4d5b889e3a7f23d8c7262739ce65d74fb8a95ed6d5bff523ff
Instruction Fuzzy Hash: 04513120B5D6C58FD796AB785825279BFE0EF8B255B0802FAE08EC31D3DD086846C352

Function 00007FF887D10C3E Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a37d5c46eaefbd167bb6c4f8a4834c26d3acd5f7d9fca23e7eb7d14464b7fa2
Instruction ID: 785a66b34bde3298f1d8e4c201f944f2b0328747a37543e661cfa73e96e5434a
Opcode Fuzzy Hash: 5a37d5c46eaefbd167bb6c4f8a4834c26d3acd5f7d9fca23e7eb7d14464b7fa2
Instruction Fuzzy Hash: C1D11A32A0D6964AF317B7BCA4552FD7BE0EF453A470842BBE49DCB093DC0C68468396

Function 00007FF887D10540 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D12122

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: b530c4eed88978463812d56be72aaf53016bf449112f00d3d4e347da538c5719
Instruction ID: 74e2a199b998f87c083cf87b05966f44e48d06d3c48e83c1c3fb930b72ef4bd6
Opcode Fuzzy Hash: b530c4eed88978463812d56be72aaf53016bf449112f00d3d4e347da538c5719
Instruction Fuzzy Hash: 8931A421F189495FE698EB6C986A379A7D2EF99751F0406BEE00EC32D3DD68AC418341

Function 00007FF887D10AD1 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

6B, xrefs: 00007FF887D10B02

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-2065085838
Opcode ID: c890d2269fab8dfa5895c1a8bbfa1012eb8c10270df36bacba8f6cfd454821aa
Instruction ID: a6f29e872fa73e6e425f7a2c7dd0b1449ad3bb760652f3adcdbb15629ce3e7a6
Opcode Fuzzy Hash: c890d2269fab8dfa5895c1a8bbfa1012eb8c10270df36bacba8f6cfd454821aa
Instruction Fuzzy Hash: F1319221F18A4A4FE784B7AC98593BDB7E1FB98751F0403B7E41DC3296DE2C68428752

Function 00007FF887D10985 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

HBL, xrefs: 00007FF887D109C0

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: HBL
API String ID: 0-3574280149
Opcode ID: bea9f7bdf96bbe505f6deacd01d70a1fd4f19fa044c8e0b0b9e58d8c352cae2e
Instruction ID: cebcd065bdd98479b7628201532501f521b7d6c482526a6d3119493ebeadb4dd
Opcode Fuzzy Hash: bea9f7bdf96bbe505f6deacd01d70a1fd4f19fa044c8e0b0b9e58d8c352cae2e
Instruction Fuzzy Hash: E6318070A58A498FEF48FBA8D4657BDB7B2FF98340F540679D009D7286CE386805C752

Function 00007FF887D12211 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887D1223D

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: a6db74f27a0ad16e5deaea30c923cda8d840741e876633224c37b27e1903a752
Instruction ID: 417474a2c40a2bef33542ab334269113c877c77e6bdcccb065ec4754b94e3778
Opcode Fuzzy Hash: a6db74f27a0ad16e5deaea30c923cda8d840741e876633224c37b27e1903a752
Instruction Fuzzy Hash: 9901D824A0C6814FE74567386805579BFB0EF95391B0405F7E889C60DBD8186985C3A3

Function 00007FF887D11185 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbe37ea1ea5eef9833b557e92cefc758ba3e5508a91acd6dcb980ecc879e84f
Instruction ID: 9b9d1490692754e9e66d5b102db12f30ab340764b5ca7bb498254de3ca838b4e
Opcode Fuzzy Hash: 4dbe37ea1ea5eef9833b557e92cefc758ba3e5508a91acd6dcb980ecc879e84f
Instruction Fuzzy Hash: 8631F232E4978A5FE742D768D8A52FDBBF1FF42250B0502B3C44AC71D7DD29284687A1

Function 00007FF887D111F8 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b98de6446c253021cdcf3e23f957725b58484047ed36b04aee259bee8360b90
Instruction ID: 1c2ed2c5068692e91acf670db9d20ccd37b7264767f574ffd03bce9becc22a2d
Opcode Fuzzy Hash: 6b98de6446c253021cdcf3e23f957725b58484047ed36b04aee259bee8360b90
Instruction Fuzzy Hash: EA210322E59A8A5FE745D768C8652FDFBF1FF45380F4542B6C00AC31D7CE29280187A1

Function 00007FF887D116C9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1a52eb9a48d6f6dde39dfdf2f317a93ce819f31f1f578edf9cb9099d80bf76
Instruction ID: 160d8a7e54db86a615c89d638cf604e900dfafab598e2f2a9ae6b26b23eb1a69
Opcode Fuzzy Hash: ed1a52eb9a48d6f6dde39dfdf2f317a93ce819f31f1f578edf9cb9099d80bf76
Instruction Fuzzy Hash: 1D517475E586494FEF58B77894696BDFAA6FF88340B800579E41ED32C6ED3C9800C711

Function 00007FF887D1083D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3750275426.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff887d10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf014fedd50f0188ce073254f054ab3dbbf02ddca1ee36363cde5fd22db27ab
Instruction ID: a171c195606e62244c55de07ea0f32cddccf6e42e639382642ac87050710897e
Opcode Fuzzy Hash: 1cf014fedd50f0188ce073254f054ab3dbbf02ddca1ee36363cde5fd22db27ab
Instruction Fuzzy Hash: F831B465A4C6894FDF44FB6894956BCBE62FFC4340B9042BAD41DC37CACD2C5904CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eternal.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

C:\Users\user\AppData\Roaming\XClient.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
eternal.exe

Function 00007FF887CF186D Relevance: 13.1, Strings: 10, Instructions: 625
COMMON

Function 00007FF887CF2059 Relevance: 1.4, Strings: 1, Instructions: 197
COMMON

Function 00007FF887CF3408 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 00007FF887CF2EF8 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON