Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xt.exe

Overview

General Information

Sample name:xt.exe
Analysis ID:1577544
MD5:009e2424044cdb99eb7437eba6be15ed
SHA1:109e876c4e86721af7299ec34806f4b3189f084d
SHA256:035b9f3f186f7cd0d168f846726ea3668be8cbefe947edbf1a4e385cd9d86760
Tags:18521511316185215113209AsyncRATbulletproofexeuser-abus3reports
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xt.exe (PID: 8020 cmdline: "C:\Users\user\Desktop\xt.exe" MD5: 009E2424044CDB99EB7437EBA6BE15ED)
  • OpenWith.exe (PID: 7672 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 6424 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.66.231.231"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "voldec.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xt.exeJoeSecurity_XWormYara detected XWormJoe Security
    xt.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      xt.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xde08:$s6: VirtualBox
      • 0xdd66:$s8: Win32_ComputerSystem
      • 0xfed9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xff76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1008b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf188:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\winsctJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\winsctJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\winsctMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xde08:$s6: VirtualBox
          • 0xdd66:$s8: Win32_ComputerSystem
          • 0xfed9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xff76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1008b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf188:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xdc08:$s6: VirtualBox
            • 0xdb66:$s8: Win32_ComputerSystem
            • 0xfcd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfd76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xfe8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xef88:$cnc4: POST / HTTP/1.1
            00000000.00000002.3803021622.0000000002C01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: xt.exe PID: 8020JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.xt.exe.600000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.xt.exe.600000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.xt.exe.600000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xde08:$s6: VirtualBox
                    • 0xdd66:$s8: Win32_ComputerSystem
                    • 0xfed9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xff76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1008b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf188:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\winsct, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\xt.exe, ProcessId: 8020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsct
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\xt.exe, ProcessId: 8020, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winsct.lnk

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T15:23:33.993151+010028531931Malware Command and Control Activity Detected192.168.2.104990045.66.231.2317000TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: xt.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\winsctAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: xt.exeMalware Configuration Extractor: Xworm {"C2 url": ["45.66.231.231"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "voldec.exe"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\winsctReversingLabs: Detection: 84%
                    Multi AV Scanner detection for submitted file
                    Source: xt.exeReversingLabs: Detection: 84%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\winsctJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: xt.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: xt.exeString decryptor: 45.66.231.231
                    Source: xt.exeString decryptor: 7000
                    Source: xt.exeString decryptor: <123456789>
                    Source: xt.exeString decryptor: <Xwormmm>
                    Source: xt.exeString decryptor: General
                    Source: xt.exeString decryptor: voldec.exe
                    Source: xt.exeString decryptor: %AppData%
                    Source: xt.exeString decryptor: winsct
                    Source: xt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: xt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49726 -> 45.66.231.231:7000
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49900 -> 45.66.231.231:7000
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.66.231.231
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: xt.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xt.exe.600000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\winsct, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.10:49726 -> 45.66.231.231:7000
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.66.231.231
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: xt.exe, winsct.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: xt.exe, 00000000.00000002.3803021622.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: xt.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.xt.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\winsct, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\xt.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E821810_2_00007FF7C0E82181
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E816E90_2_00007FF7C0E816E9
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E85EB60_2_00007FF7C0E85EB6
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E86C620_2_00007FF7C0E86C62
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E81EF50_2_00007FF7C0E81EF5
                    Source: xt.exe, 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs xt.exe
                    Source: xt.exeBinary or memory string: OriginalFilenameXClient.exe4 vs xt.exe
                    Source: xt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: xt.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.xt.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\winsct, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: xt.exe, wfFHiJCCL3FGmDspZvXiZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: xt.exe, ctFbR620ZUOpzfNILIZDq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: xt.exe, ctFbR620ZUOpzfNILIZDq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: winsct.0.dr, wfFHiJCCL3FGmDspZvXiZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: winsct.0.dr, ctFbR620ZUOpzfNILIZDq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: winsct.0.dr, ctFbR620ZUOpzfNILIZDq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: xt.exe, wfFHiJCCL3FGmDspZvXiZ.csBase64 encoded string: 'oJFINUfGwLCScrXpeGQcLRkMYJTeZcidtsBX3d6zWElA3uj92iMOhHeCQnFnq8gdr2xY34Tozd0zptjX'
                    Source: xt.exe, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csBase64 encoded string: 'rjNlqZb9AR75OKLU0taagylaqWCCwncNqrc4kDOvGlRgHmOotG7bX78Qq97NHi3z9Ej1JY8UunwG0bwG6TBfGGZ5', 'kQrWgQS34ENfkrlYjTYNC4ikRuc9EIbQDJWTwriC1bLsdVnv6YsZ0ejAvf7M3ZKVoRo12x3YW6qE4mzhnxysWY5c', 'Y3NUeuyymxrXeno0mxK89U9tlS1GwsmQ0ZLMDTdCDLacJUXaSkJUcKfRYQr0RBKWqEsmhYxjGON9mgtTlVxwBNTd', 'Pd4Xgk2oRPmAv2R5JJMP6AQwv8RtGWduCata7cdVMDDKZOPS1vJCEXLgG8FUhQCU2NlgTcyIdZswBzRfolZjCKNR'
                    Source: xt.exe, uSAYiVGM1xAtzTg6K9aWw.csBase64 encoded string: 'nWWz27LM1GDZ3syccBx9zmx2Q0XJ33UGpnesIVrqOTisns1pavBt5C6H2stgQcC2jApjVcfqqvKzE2wI'
                    Source: winsct.0.dr, wfFHiJCCL3FGmDspZvXiZ.csBase64 encoded string: 'oJFINUfGwLCScrXpeGQcLRkMYJTeZcidtsBX3d6zWElA3uj92iMOhHeCQnFnq8gdr2xY34Tozd0zptjX'
                    Source: winsct.0.dr, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csBase64 encoded string: 'rjNlqZb9AR75OKLU0taagylaqWCCwncNqrc4kDOvGlRgHmOotG7bX78Qq97NHi3z9Ej1JY8UunwG0bwG6TBfGGZ5', 'kQrWgQS34ENfkrlYjTYNC4ikRuc9EIbQDJWTwriC1bLsdVnv6YsZ0ejAvf7M3ZKVoRo12x3YW6qE4mzhnxysWY5c', 'Y3NUeuyymxrXeno0mxK89U9tlS1GwsmQ0ZLMDTdCDLacJUXaSkJUcKfRYQr0RBKWqEsmhYxjGON9mgtTlVxwBNTd', 'Pd4Xgk2oRPmAv2R5JJMP6AQwv8RtGWduCata7cdVMDDKZOPS1vJCEXLgG8FUhQCU2NlgTcyIdZswBzRfolZjCKNR'
                    Source: winsct.0.dr, uSAYiVGM1xAtzTg6K9aWw.csBase64 encoded string: 'nWWz27LM1GDZ3syccBx9zmx2Q0XJ33UGpnesIVrqOTisns1pavBt5C6H2stgQcC2jApjVcfqqvKzE2wI'
                    Source: winsct.0.dr, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: winsct.0.dr, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: xt.exe, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: xt.exe, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/3@1/2
                    Source: C:\Users\user\Desktop\xt.exeFile created: C:\Users\user\AppData\Roaming\winsctJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeMutant created: NULL
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
                    Source: C:\Users\user\Desktop\xt.exeMutant created: \Sessions\1\BaseNamedObjects\qTvlWb6Q4ffzJk0T
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
                    Source: C:\Users\user\Desktop\xt.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: xt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: xt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\xt.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: xt.exeReversingLabs: Detection: 84%
                    Source: C:\Users\user\Desktop\xt.exeFile read: C:\Users\user\Desktop\xt.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\xt.exe "C:\Users\user\Desktop\xt.exe"
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: winsct.lnk.0.drLNK file: ..\..\..\..\..\winsct
                    Source: xt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: xt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{adV9scFdxF7Xt2yVo48jh4RR8S.KRaUzah2NfVtLew1l29GuPni6h,adV9scFdxF7Xt2yVo48jh4RR8S.iysePGzBGAVOr0Ni58snqe20bR,adV9scFdxF7Xt2yVo48jh4RR8S.hhgJnCyjoROMBxgNZ6PHc5fkRN,adV9scFdxF7Xt2yVo48jh4RR8S.Ftxa6iuuBuN6ottqAo8Oc29yTB,ctFbR620ZUOpzfNILIZDq.TpzhFR40u15GSkejoFW7d()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Od1Sn81YwtLykNUrNX587GfYzw2N0v0pIFYQtkcDMcVgbGMdj9ruIRFxcECyVuXD8JiAfUZ5zmZcuB91LCz7HecOvtXCA[2],ctFbR620ZUOpzfNILIZDq._1lxGqCDNNFUP8yyEQBLfc(Convert.FromBase64String(Od1Sn81YwtLykNUrNX587GfYzw2N0v0pIFYQtkcDMcVgbGMdj9ruIRFxcECyVuXD8JiAfUZ5zmZcuB91LCz7HecOvtXCA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Od1Sn81YwtLykNUrNX587GfYzw2N0v0pIFYQtkcDMcVgbGMdj9ruIRFxcECyVuXD8JiAfUZ5zmZcuB91LCz7HecOvtXCA[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{adV9scFdxF7Xt2yVo48jh4RR8S.KRaUzah2NfVtLew1l29GuPni6h,adV9scFdxF7Xt2yVo48jh4RR8S.iysePGzBGAVOr0Ni58snqe20bR,adV9scFdxF7Xt2yVo48jh4RR8S.hhgJnCyjoROMBxgNZ6PHc5fkRN,adV9scFdxF7Xt2yVo48jh4RR8S.Ftxa6iuuBuN6ottqAo8Oc29yTB,ctFbR620ZUOpzfNILIZDq.TpzhFR40u15GSkejoFW7d()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Od1Sn81YwtLykNUrNX587GfYzw2N0v0pIFYQtkcDMcVgbGMdj9ruIRFxcECyVuXD8JiAfUZ5zmZcuB91LCz7HecOvtXCA[2],ctFbR620ZUOpzfNILIZDq._1lxGqCDNNFUP8yyEQBLfc(Convert.FromBase64String(Od1Sn81YwtLykNUrNX587GfYzw2N0v0pIFYQtkcDMcVgbGMdj9ruIRFxcECyVuXD8JiAfUZ5zmZcuB91LCz7HecOvtXCA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Od1Sn81YwtLykNUrNX587GfYzw2N0v0pIFYQtkcDMcVgbGMdj9ruIRFxcECyVuXD8JiAfUZ5zmZcuB91LCz7HecOvtXCA[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: eVa8dYTflYEE10eWQ8zNvfurPOFG0BmIny0oG5fBQ8aJ9c0oVnKVPtOcXw4Bi System.AppDomain.Load(byte[])
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: _2TGkzaeOCBZZGNHxBmyjF7lvfb54764idik0GLafw2X7J7eX3bIYGfsmN6vWs System.AppDomain.Load(byte[])
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: _2TGkzaeOCBZZGNHxBmyjF7lvfb54764idik0GLafw2X7J7eX3bIYGfsmN6vWs
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: eVa8dYTflYEE10eWQ8zNvfurPOFG0BmIny0oG5fBQ8aJ9c0oVnKVPtOcXw4Bi System.AppDomain.Load(byte[])
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: _2TGkzaeOCBZZGNHxBmyjF7lvfb54764idik0GLafw2X7J7eX3bIYGfsmN6vWs System.AppDomain.Load(byte[])
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.cs.Net Code: _2TGkzaeOCBZZGNHxBmyjF7lvfb54764idik0GLafw2X7J7eX3bIYGfsmN6vWs
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E800BD pushad ; iretd 0_2_00007FF7C0E800C1
                    Source: xt.exe, BSlIH5PaPUC1KqezJtVo6.csHigh entropy of concatenated method names: 'QewS7YtaUqHSBvO1bgCb1', 'yFiCNQC9I4j7fGqRwT86q', 'KcrQOM4nGEEpf9CatqeupqkCkjWkg29HBAkGDS2hfmJWGcwM7f577', 'hPLBPqVgD3bDjo5RcUK63H43A', 'hVhDExc9jNDfEamDZLnu4553U', 'peMZ4rDpITvYoXgIgayoeDe6Z', 'yfG3JtSUhX3lLHmkTO1GDBBoV', 'M07J7bWTFnFoCfolqcd0WXNUp', '_3FDQOOWwhshrtPwUTx5KpGg5Q', 'PyY0aXXRISBms49pxqg39xEZl'
                    Source: xt.exe, PCQvc4e2IhrLBVMKHOyHTlxidfpiHmJLtAwBFnfsF39KuWwZ739Dk6q7ejaPXGhDcP2Bux8XsQmNsFfhSxI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qMmLAnNz8IxhFprIKHMJ9hCf1uyGHz7SRfcBIciJ1mLetp4XOn0CAjcD1YgMVd5lAOtF1xi', 'IJWD4QHDelRPqeAX0fSJCezJyWBtwPJcUv9ZXVdKcn4HDvlqwdWlYE4JOgdvLCCQ1EJRjwL', 'p7XktjnT51lqiJ1CuaBNmL6wd7KGC5o8bLL0dbYsqMLQjRGmCu5npNOfeUD5Ef3yn8lT4z0', 'FuQg8UuNHlkQxhqzPkG6s6TofWSk6w3t8AwdVgEwCQp5hivj4jkIYfnYMQwqPrxHVXOcaLP'
                    Source: xt.exe, wfFHiJCCL3FGmDspZvXiZ.csHigh entropy of concatenated method names: 'YID4HrmToDsGA6kaksegJ', 'iCZx1uLvUmG6g0nObOMXdMhdDgh0N7W2pkGe35JpHsbmsuVLDtPE1cg7Zt19zOLzoiuMS7iiq3FkXr6R', 'bJOHNIWnsR5DqC1Ign2iDvst50mF16REmC3ack47CpTf0uPq3OQphzbWPgm5gebo53uWRTstJa5cUOST', 'iSWgHyxQnG7GbjpbC9sVOGJJDx6MlnGXxbVN4KHdrTD5Y1Xo3Qk2W4SLqaXgb6S29Q', 'A3jK7cVzyBtaeuMzj2qrCR4hQFTVtOZ2g6t9k8qLVoSWqqwpydIYYSYsl4P3cOfndL'
                    Source: xt.exe, ctFbR620ZUOpzfNILIZDq.csHigh entropy of concatenated method names: 'VYcyV5gSyka6pMOYsIh6h', 'VG6tiNqxkhTUf868P49BV', 'JSWul29L8oCWykizhQuM5', 'BCqTvHRVC5XNcMOuEdElX', 'Tc4CgyrxFGUYmcFn1IcSV', 'OHBpv4G4Vmej58mPraWKH', '_19wPDeMj3z83LQW9Rskll', 'G0JMyA8no0vtR3fobrDaI', 'F0xGliYDyvIQPlHRcwGO4', '_5gvi4c1EMsWH68STCTGud'
                    Source: xt.exe, boV4Tsp2oNqR5oPFoIkfTJsv0f3IYanLE7d5nP4tFxEYlKQUzQ0GXK5bdg3kXPnZxkQfqfx1Sji92LLJy1bMuu0YdKOHh.csHigh entropy of concatenated method names: 'LQXhBtwQaIpho5r0O8qX5IS1f5i7IOADIJBV0NxC9siB8AYsdUsV4J25iqGWncY8NtpgSbjnCwj0kFpLypIVZMC7OgL6E', 'eWHW2hgEOof8odMF', 'MZOwup6J8bXmMTyc', 'bPj5rHPkWESIaqCl', 'mZ2NZs3YZAhoJdTQ'
                    Source: xt.exe, tfnun6OE7UgO0RAka4POEoN78hXDq6ygQiU5U4MS1gsWmkPMU4qzGPmFniOC6XLrmwkjP8B4RxcqKF.csHigh entropy of concatenated method names: 'GzUb8O2gwFEup0UGyUY7ZV3UyvtiHbzRWSd6tzWwalJsl7o0UieerfzkGdcYOlizVSZ7JXupx9DGMj', 'avLILyRcWxZfdtXZ4dvbgOAryWyPCQ4M8YIQKHXi7kS1wUNXUCjUMHcILiHKxH0eZAINGDNBWCAZ2b', 'X9tjESipSoQAbkcuXtoBcrZaGuTAeoYpMLuRNRnsvLQlZZ6Kc3Mx4UJHok5KG4c5zwNcA3Y8hnT46m', 'ci4cHO9Wih8mlI78bcPtiT4iOnN7kiB9ERLxAdFkjuw9seoQTgOZ39r29UmTZoAGxAotBRDmqPi349', '_2E4Lzt9k6ecyJtSqIe5B9SyS1Qu7EjbKfxpqOKKxfgmFi760H0FZOvolmzbO0aurhMnBvTCNqAiufL', 'J5qnv2G6auXananitC9DIuARKHRAkET6HUjoUSbZAPFq3s2kOayOregoK0JJi7IxM8ZTzHSDoSo4Xt', 'eOWPfRcjHm1071jd7xInpKbX6lsHNyzb6mR6mIwbPcwv7t2vwKHlR1jVm8Kknj3MtwhMDHf71Uut4t', 'xbLIV9WkjzSuuktT0oWFf4VKFiyvqVBzrPxFopElQAIVhBq62TlLH9JXRwmdMAPtjG9IYUbZL1suoI', 'tEYQIPjbtPug2oUoMs6TO', 'LJtwxmcUmXbYEIovymD0j'
                    Source: xt.exe, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csHigh entropy of concatenated method names: 'DTgX7uRfTNBDeiIAi9DvqVtKEwLp10mPyqPfwR0xWu5', 'VbpVpW1IDwbak3zZ1M3zfj6J9yAKPtM0V5g7QI0hbI8', 'Ox0bnG0WT05yv9iEmWnsJSktg4uRthRij2bTvPkTiBN', 'ROmslneegIyX340UtDVTgkfYkfsuWpuCR2UhJdJAGfN', 'akwem7AJIEjc4Y375Kh0n3jJHpNZcQgnhTdQwwnw9ct', '_9hzBSFYIJbmqq3xC2Q82KqimRNwNb79HtrHyq1FG54Z', 'q238ac3d7gDMifOrY1zXNLbOoaABPBHmyUc6ZsWh8mQ', 'KCD3tcH23PR2BTH9hu92OC2X1xnKhChexuwH4ROlOIY', '_7eXsDIxUMLeFyvwUBcpmS3IFSkDqg11aWPP0fTIuh8e', 'dySrDZNgXviaWKEhPCkrcc1Lp2GqQrXFcyPqrrnFUVB'
                    Source: xt.exe, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.csHigh entropy of concatenated method names: '_3lwxjHYA9dE2DTHCPcMCDj1UwS2D2orDBUsjGh84JDnFrRBDFrcRF2mCGW9ytFWVYpBujE8qCkEO', 'eVa8dYTflYEE10eWQ8zNvfurPOFG0BmIny0oG5fBQ8aJ9c0oVnKVPtOcXw4Bi', 'ySUWRIumP111KD6Xu9p75DI2HQo9NnmZsNmaUku8U0kMuKZR4fN35rC8ij7Wz', 'TlGUNMh1IZOEEuIMT8QpSBvFJxacTrEQ7vtPJBEDcK5CYvYsBTqGmR1BY6M81', 'UXZBM02RpR8XWQRO50atby2bhcdrTsifdWi2nZY4nu9MfelUi74r7b8Dponx6', 'XPFTmazRHgYyqztu8MxAUwefmSVirz0XoPbHrENva0xAxipfLi2ypYSzu2K7E', 'JlN1u4BvZJiisNcTY1z6Afe8alMrpt8L57OjdlU388suXQt0gmxERLAelx0lJ', 'GxiMGKNR7gqF6HliMncXAFBfLBYH8hSP6vjoAAyizvVx7b9f7npKG0Gf4DC7d', 'kuwT4YX1fi1YuihFD3kMzuj7zzZvPykNjTUMMOhy9yIhq3pwL5lOeU0mAtcij', 'dtr8WAFJkxtBj9dBeLkOHou3OdRzMOCv4MA0inlmDiXwq68fsFIQOFiy67ypy'
                    Source: xt.exe, pivg2sc6qdgJyvPz89duRydUD6.csHigh entropy of concatenated method names: '_2Cy8C67NeqlqbsOsy5xICNTW9B', 'V94XExyLiAErrwpAw0fdqsgOu0', 'haCKjfgHg8bGnGix7neIDF7FPr', 'niW1UyJh8CL', '_55FbE7dO8Sp', 'Rb8JZSkQGX1', '_8QjlcnUMLQe', 'H7J4TznU8xg', 'gquDiJm1M54VCN2gJaAkwzHxIXD05cwoL3HpHMRVoeZ', 'zu1dsP0ahexObovSKMATInVVj9gYopJwC9eRc3LCWFe'
                    Source: xt.exe, uSAYiVGM1xAtzTg6K9aWw.csHigh entropy of concatenated method names: 'RRilyVcnoUHbeNrocisOF', '_7YyU3fsWOA5UWxuYx5nxb', 'ZX8UGn8bAv4KTsXneS3Wk', 'GECHoEk0Z4i6LRZyR1XXJ', 'gdEZvnLYfKTqTcMbFxLsDWJbt29jmqA4Kfc0AGm7L8UfUEQQ', 'qQYYCjBfnG8TLVCPHXEYnnPR1Mrq68ZS5kRL1i1GDZIqYsvN', 'iUcNj5TCQmdRdkByNcCYPrEHuWRVMwG3urLQqd6yvGkxM7sx', 'l92ItF5y7zqRRHiK8NPMErXIIMhHTAWzUzzw0lqB3V7AxT4j', 'l1fVL8GtRi7xCPklfkHQWzl0c9Lgi7r6e6rARpEDDRNBRx8GcEUMCbdO2AZPxE4HL88Scv6q37KKljUI', 'n5bdsTMpG0jjhpm5jMEobzGfOwGCZsSz0amqbk4qRGTzmMPCOYDp4ydlZvPSVd3xXYzT5mIdQZutyyEV'
                    Source: winsct.0.dr, BSlIH5PaPUC1KqezJtVo6.csHigh entropy of concatenated method names: 'QewS7YtaUqHSBvO1bgCb1', 'yFiCNQC9I4j7fGqRwT86q', 'KcrQOM4nGEEpf9CatqeupqkCkjWkg29HBAkGDS2hfmJWGcwM7f577', 'hPLBPqVgD3bDjo5RcUK63H43A', 'hVhDExc9jNDfEamDZLnu4553U', 'peMZ4rDpITvYoXgIgayoeDe6Z', 'yfG3JtSUhX3lLHmkTO1GDBBoV', 'M07J7bWTFnFoCfolqcd0WXNUp', '_3FDQOOWwhshrtPwUTx5KpGg5Q', 'PyY0aXXRISBms49pxqg39xEZl'
                    Source: winsct.0.dr, PCQvc4e2IhrLBVMKHOyHTlxidfpiHmJLtAwBFnfsF39KuWwZ739Dk6q7ejaPXGhDcP2Bux8XsQmNsFfhSxI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qMmLAnNz8IxhFprIKHMJ9hCf1uyGHz7SRfcBIciJ1mLetp4XOn0CAjcD1YgMVd5lAOtF1xi', 'IJWD4QHDelRPqeAX0fSJCezJyWBtwPJcUv9ZXVdKcn4HDvlqwdWlYE4JOgdvLCCQ1EJRjwL', 'p7XktjnT51lqiJ1CuaBNmL6wd7KGC5o8bLL0dbYsqMLQjRGmCu5npNOfeUD5Ef3yn8lT4z0', 'FuQg8UuNHlkQxhqzPkG6s6TofWSk6w3t8AwdVgEwCQp5hivj4jkIYfnYMQwqPrxHVXOcaLP'
                    Source: winsct.0.dr, wfFHiJCCL3FGmDspZvXiZ.csHigh entropy of concatenated method names: 'YID4HrmToDsGA6kaksegJ', 'iCZx1uLvUmG6g0nObOMXdMhdDgh0N7W2pkGe35JpHsbmsuVLDtPE1cg7Zt19zOLzoiuMS7iiq3FkXr6R', 'bJOHNIWnsR5DqC1Ign2iDvst50mF16REmC3ack47CpTf0uPq3OQphzbWPgm5gebo53uWRTstJa5cUOST', 'iSWgHyxQnG7GbjpbC9sVOGJJDx6MlnGXxbVN4KHdrTD5Y1Xo3Qk2W4SLqaXgb6S29Q', 'A3jK7cVzyBtaeuMzj2qrCR4hQFTVtOZ2g6t9k8qLVoSWqqwpydIYYSYsl4P3cOfndL'
                    Source: winsct.0.dr, ctFbR620ZUOpzfNILIZDq.csHigh entropy of concatenated method names: 'VYcyV5gSyka6pMOYsIh6h', 'VG6tiNqxkhTUf868P49BV', 'JSWul29L8oCWykizhQuM5', 'BCqTvHRVC5XNcMOuEdElX', 'Tc4CgyrxFGUYmcFn1IcSV', 'OHBpv4G4Vmej58mPraWKH', '_19wPDeMj3z83LQW9Rskll', 'G0JMyA8no0vtR3fobrDaI', 'F0xGliYDyvIQPlHRcwGO4', '_5gvi4c1EMsWH68STCTGud'
                    Source: winsct.0.dr, boV4Tsp2oNqR5oPFoIkfTJsv0f3IYanLE7d5nP4tFxEYlKQUzQ0GXK5bdg3kXPnZxkQfqfx1Sji92LLJy1bMuu0YdKOHh.csHigh entropy of concatenated method names: 'LQXhBtwQaIpho5r0O8qX5IS1f5i7IOADIJBV0NxC9siB8AYsdUsV4J25iqGWncY8NtpgSbjnCwj0kFpLypIVZMC7OgL6E', 'eWHW2hgEOof8odMF', 'MZOwup6J8bXmMTyc', 'bPj5rHPkWESIaqCl', 'mZ2NZs3YZAhoJdTQ'
                    Source: winsct.0.dr, tfnun6OE7UgO0RAka4POEoN78hXDq6ygQiU5U4MS1gsWmkPMU4qzGPmFniOC6XLrmwkjP8B4RxcqKF.csHigh entropy of concatenated method names: 'GzUb8O2gwFEup0UGyUY7ZV3UyvtiHbzRWSd6tzWwalJsl7o0UieerfzkGdcYOlizVSZ7JXupx9DGMj', 'avLILyRcWxZfdtXZ4dvbgOAryWyPCQ4M8YIQKHXi7kS1wUNXUCjUMHcILiHKxH0eZAINGDNBWCAZ2b', 'X9tjESipSoQAbkcuXtoBcrZaGuTAeoYpMLuRNRnsvLQlZZ6Kc3Mx4UJHok5KG4c5zwNcA3Y8hnT46m', 'ci4cHO9Wih8mlI78bcPtiT4iOnN7kiB9ERLxAdFkjuw9seoQTgOZ39r29UmTZoAGxAotBRDmqPi349', '_2E4Lzt9k6ecyJtSqIe5B9SyS1Qu7EjbKfxpqOKKxfgmFi760H0FZOvolmzbO0aurhMnBvTCNqAiufL', 'J5qnv2G6auXananitC9DIuARKHRAkET6HUjoUSbZAPFq3s2kOayOregoK0JJi7IxM8ZTzHSDoSo4Xt', 'eOWPfRcjHm1071jd7xInpKbX6lsHNyzb6mR6mIwbPcwv7t2vwKHlR1jVm8Kknj3MtwhMDHf71Uut4t', 'xbLIV9WkjzSuuktT0oWFf4VKFiyvqVBzrPxFopElQAIVhBq62TlLH9JXRwmdMAPtjG9IYUbZL1suoI', 'tEYQIPjbtPug2oUoMs6TO', 'LJtwxmcUmXbYEIovymD0j'
                    Source: winsct.0.dr, xXPfyxuXm0zZ0PdrVwchw1pLo6DEw1zRB0pAJDIgwIj.csHigh entropy of concatenated method names: 'DTgX7uRfTNBDeiIAi9DvqVtKEwLp10mPyqPfwR0xWu5', 'VbpVpW1IDwbak3zZ1M3zfj6J9yAKPtM0V5g7QI0hbI8', 'Ox0bnG0WT05yv9iEmWnsJSktg4uRthRij2bTvPkTiBN', 'ROmslneegIyX340UtDVTgkfYkfsuWpuCR2UhJdJAGfN', 'akwem7AJIEjc4Y375Kh0n3jJHpNZcQgnhTdQwwnw9ct', '_9hzBSFYIJbmqq3xC2Q82KqimRNwNb79HtrHyq1FG54Z', 'q238ac3d7gDMifOrY1zXNLbOoaABPBHmyUc6ZsWh8mQ', 'KCD3tcH23PR2BTH9hu92OC2X1xnKhChexuwH4ROlOIY', '_7eXsDIxUMLeFyvwUBcpmS3IFSkDqg11aWPP0fTIuh8e', 'dySrDZNgXviaWKEhPCkrcc1Lp2GqQrXFcyPqrrnFUVB'
                    Source: winsct.0.dr, UX4ty6kY2bUSqD5iXcc61Abke2ZIokHFYyvoPqIuEOecnnPkr4c65IGMSf6uTwDD8TEfE527a629.csHigh entropy of concatenated method names: '_3lwxjHYA9dE2DTHCPcMCDj1UwS2D2orDBUsjGh84JDnFrRBDFrcRF2mCGW9ytFWVYpBujE8qCkEO', 'eVa8dYTflYEE10eWQ8zNvfurPOFG0BmIny0oG5fBQ8aJ9c0oVnKVPtOcXw4Bi', 'ySUWRIumP111KD6Xu9p75DI2HQo9NnmZsNmaUku8U0kMuKZR4fN35rC8ij7Wz', 'TlGUNMh1IZOEEuIMT8QpSBvFJxacTrEQ7vtPJBEDcK5CYvYsBTqGmR1BY6M81', 'UXZBM02RpR8XWQRO50atby2bhcdrTsifdWi2nZY4nu9MfelUi74r7b8Dponx6', 'XPFTmazRHgYyqztu8MxAUwefmSVirz0XoPbHrENva0xAxipfLi2ypYSzu2K7E', 'JlN1u4BvZJiisNcTY1z6Afe8alMrpt8L57OjdlU388suXQt0gmxERLAelx0lJ', 'GxiMGKNR7gqF6HliMncXAFBfLBYH8hSP6vjoAAyizvVx7b9f7npKG0Gf4DC7d', 'kuwT4YX1fi1YuihFD3kMzuj7zzZvPykNjTUMMOhy9yIhq3pwL5lOeU0mAtcij', 'dtr8WAFJkxtBj9dBeLkOHou3OdRzMOCv4MA0inlmDiXwq68fsFIQOFiy67ypy'
                    Source: winsct.0.dr, pivg2sc6qdgJyvPz89duRydUD6.csHigh entropy of concatenated method names: '_2Cy8C67NeqlqbsOsy5xICNTW9B', 'V94XExyLiAErrwpAw0fdqsgOu0', 'haCKjfgHg8bGnGix7neIDF7FPr', 'niW1UyJh8CL', '_55FbE7dO8Sp', 'Rb8JZSkQGX1', '_8QjlcnUMLQe', 'H7J4TznU8xg', 'gquDiJm1M54VCN2gJaAkwzHxIXD05cwoL3HpHMRVoeZ', 'zu1dsP0ahexObovSKMATInVVj9gYopJwC9eRc3LCWFe'
                    Source: winsct.0.dr, uSAYiVGM1xAtzTg6K9aWw.csHigh entropy of concatenated method names: 'RRilyVcnoUHbeNrocisOF', '_7YyU3fsWOA5UWxuYx5nxb', 'ZX8UGn8bAv4KTsXneS3Wk', 'GECHoEk0Z4i6LRZyR1XXJ', 'gdEZvnLYfKTqTcMbFxLsDWJbt29jmqA4Kfc0AGm7L8UfUEQQ', 'qQYYCjBfnG8TLVCPHXEYnnPR1Mrq68ZS5kRL1i1GDZIqYsvN', 'iUcNj5TCQmdRdkByNcCYPrEHuWRVMwG3urLQqd6yvGkxM7sx', 'l92ItF5y7zqRRHiK8NPMErXIIMhHTAWzUzzw0lqB3V7AxT4j', 'l1fVL8GtRi7xCPklfkHQWzl0c9Lgi7r6e6rARpEDDRNBRx8GcEUMCbdO2AZPxE4HL88Scv6q37KKljUI', 'n5bdsTMpG0jjhpm5jMEobzGfOwGCZsSz0amqbk4qRGTzmMPCOYDp4ydlZvPSVd3xXYzT5mIdQZutyyEV'
                    Source: C:\Users\user\Desktop\xt.exeFile created: C:\Users\user\AppData\Roaming\winsctJump to dropped file
                    Source: C:\Users\user\Desktop\xt.exeFile created: C:\Users\user\AppData\Roaming\winsctJump to dropped file
                    Source: C:\Users\user\Desktop\xt.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winsct.lnkJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winsct.lnkJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winsctJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winsctJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: xt.exe, winsct.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\xt.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeMemory allocated: 1AC00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xt.exeWindow / User API: threadDelayed 2222Jump to behavior
                    Source: C:\Users\user\Desktop\xt.exeWindow / User API: threadDelayed 7616Jump to behavior
                    Source: C:\Users\user\Desktop\xt.exe TID: 7396Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: winsct.0.drBinary or memory string: vmware
                    Source: xt.exe, 00000000.00000002.3804657173.000000001B891000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                    Source: C:\Users\user\Desktop\xt.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\xt.exeCode function: 0_2_00007FF7C0E87871 CheckRemoteDebuggerPresent,0_2_00007FF7C0E87871
                    Source: C:\Users\user\Desktop\xt.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: xt.exe, 00000000.00000002.3803021622.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3803021622.0000000002D93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: xt.exe, 00000000.00000002.3803021622.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3803021622.0000000002D93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: xt.exe, 00000000.00000002.3803021622.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3803021622.0000000002D93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: xt.exe, 00000000.00000002.3803021622.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3803021622.0000000002D93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: xt.exe, 00000000.00000002.3803021622.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3803021622.0000000002D93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2m
                    Source: C:\Users\user\Desktop\xt.exeQueries volume information: C:\Users\user\Desktop\xt.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: xt.exe, 00000000.00000002.3802433195.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3804657173.000000001B843000.00000004.00000020.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3802433195.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3804657173.000000001B891000.00000004.00000020.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3804657173.000000001B92D000.00000004.00000020.00020000.00000000.sdmp, xt.exe, 00000000.00000002.3804657173.000000001B8BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\xt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: xt.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xt.exe.600000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3803021622.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xt.exe PID: 8020, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\winsct, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: xt.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xt.exe.600000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3803021622.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xt.exe PID: 8020, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\winsct, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		21
                    Registry Run Keys / Startup Folder                    		2
                    Process Injection                    		11
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    xt.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    xt.exe100%AviraTR/Spy.Gen
                    xt.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\winsct100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\winsct100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\winsct84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    45.66.231.2310%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      s-part-0035.t-0009.t-msedge.net
                      		13.107.246.63
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        45.66.231.231true
                        • Avira URL Cloud: safe
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namext.exe, 00000000.00000002.3803021622.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUSfalse
                            45.66.231.231
                            		unknownGermany
                            		33657CMCSUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1577544
                            Start date and time:2024-12-18 15:21:01 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 43s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:xt.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@3/3@1/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 8
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53, 23.218.208.109, 20.12.23.50
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • VT rate limit hit for: xt.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:22:06API Interceptor11615587x Sleep call for process: xt.exe modified
                            09:22:15API Interceptor2x Sleep call for process: OpenWith.exe modified
                            15:22:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winsct C:\Users\user\AppData\Roaming\winsct
                            15:22:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winsct C:\Users\user\AppData\Roaming\winsct
                            15:22:23AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winsct.lnk

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                            • ip-api.com/json
                            roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                            • ip-api.com/json
                            random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                            • ip-api.com/json
                            x.ps1Get hashmaliciousQuasarBrowse
                            • ip-api.com/json/
                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • ip-api.com/json/
                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • ip-api.com/json/
                            Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • ip-api.com/json/
                            Creal.exeGet hashmaliciousBlackshadesBrowse
                            • ip-api.com/json/
                            factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comroblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                            • 208.95.112.1
                            roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                            • 208.95.112.1
                            random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                            • 208.95.112.1
                            x.ps1Get hashmaliciousQuasarBrowse
                            • 208.95.112.1
                            https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                            • 208.95.112.2
                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • 208.95.112.1
                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • 208.95.112.1
                            Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • 208.95.112.1
                            Creal.exeGet hashmaliciousBlackshadesBrowse
                            • 208.95.112.1
                            factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            s-part-0035.t-0009.t-msedge.netOrder_948575494759.xlsGet hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            Order_948575494759.xlsGet hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            ldqj18tn.exeGet hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            DOC.exeGet hashmaliciousCryptbotBrowse
                            • 13.107.246.63
                            2.png.ps1Get hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            1.png.ps1Get hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            ko.ps1.2.ps1Get hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                            • 13.107.246.63
                            steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                            • 13.107.246.63
                            random.exe.17.exeGet hashmaliciousScreenConnect ToolBrowse
                            • 13.107.246.63

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TUT-ASUSroblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                            • 208.95.112.1
                            roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                            • 208.95.112.1
                            random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                            • 208.95.112.1
                            x.ps1Get hashmaliciousQuasarBrowse
                            • 208.95.112.1
                            https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                            • 208.95.112.2
                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • 208.95.112.1
                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • 208.95.112.1
                            Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                            • 208.95.112.1
                            Creal.exeGet hashmaliciousBlackshadesBrowse
                            • 208.95.112.1
                            factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            CMCSUShttps://share.hsforms.com/1Izw71u6TTr2VFC-t9f1KFgsvgdjGet hashmaliciousUnknownBrowse
                            • 85.208.139.7
                            x86_64.elfGet hashmaliciousMiraiBrowse
                            • 50.238.119.249
                            arm.elfGet hashmaliciousUnknownBrowse
                            • 50.226.169.202
                            armv7l.elfGet hashmaliciousMiraiBrowse
                            • 216.45.216.151
                            rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                            • 50.220.100.140
                            arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 50.207.84.136
                            MYNEWRDX.exeGet hashmaliciousRedLineBrowse
                            • 45.66.231.214
                            xGizlHFlne.exeGet hashmaliciousRedLineBrowse
                            • 141.98.6.120
                            https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.comGet hashmaliciousUnknownBrowse
                            • 23.208.8.211
                            file.exeGet hashmaliciousXenoRATBrowse
                            • 85.209.133.150

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\Log.tmp

                            Download File
                            Process:C:\Users\user\Desktop\xt.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):35
                            Entropy (8bit):3.7071562309216133
                            Encrypted:false
                            SSDEEP:3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
                            MD5:BFABEC865892A34F532FABF984F7E156
                            SHA1:3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
                            SHA-256:8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
                            SHA-512:CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:....### explorer ###..[WIN]r[WIN]r

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winsct.lnk

                            Download File
                            Process:C:\Users\user\Desktop\xt.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 18 13:22:06 2024, mtime=Wed Dec 18 13:22:06 2024, atime=Wed Dec 18 13:22:06 2024, length=74240, window=hide
                            Category:dropped
                            Size (bytes):734
                            Entropy (8bit):5.090684430824484
                            Encrypted:false
                            SSDEEP:12:8EEv2us4u0YChonlZY//aFo1LVlzo2l/YjAwNHD/r31b3hmV:8V22cXlSRRVlP/8A471bxm
                            MD5:0FDB91D8EEFFC6B5374A73156F15BC18
                            SHA1:F4D6962A656C943B3C5D9837CDD2E9BF545F99F3
                            SHA-256:C27001B70D5953623F08C4389126D91B2B7B805F71F517C5EF5D961822270E76
                            SHA-512:11435DB445C94A4A620A31614A718BC3051F4ACB33B5A019451B04A0EC14B6B4C8E049E75F25877C9FA6B37032CD546F29C9DE75477EA9D55C562C35FF2A5ED5
                            Malicious:false
                            Reputation:low
                            Preview:L..................F.... ...Ft97XQ....;7XQ....;7XQ..."......................h.:..DG..Yr?.D..U..k0.&...&.........5q....\.-XQ..._7XQ......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.r...........................c..A.p.p.D.a.t.a...B.V.1......Y.r..Roaming.@......EW)N.Y.r..............................R.o.a.m.i.n.g.....T.2.."...Y.r .winsct..>......Y.r.Y.r....4.....................bQ..w.i.n.s.c.t.......S...............-.......R.............5y.....C:\Users\user\AppData\Roaming\winsct........\.....\.....\.....\.....\.w.i.n.s.c.t.`.......X.......128757...........hT..CrF.f4... .U...jc...+...E...hT..CrF.f4... .U...jc...+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                            C:\Users\user\AppData\Roaming\winsct

                            Download File
                            Process:C:\Users\user\Desktop\xt.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):74240
                            Entropy (8bit):5.9759105816886064
                            Encrypted:false
                            SSDEEP:1536:9UvrIIoWxYYbC3spbmjnR9taoIXWGJ2aOmaeX7vT1:ibJrCcpbyR/zGJ2aOuXf1
                            MD5:009E2424044CDB99EB7437EBA6BE15ED
                            SHA1:109E876C4E86721AF7299EC34806F4B3189F084D
                            SHA-256:035B9F3F186F7CD0D168F846726EA3668BE8CBEFE947EDBF1A4E385CD9D86760
                            SHA-512:CA0122ED5954FFB8C3A2F7BFA925771DEABFC3861A522567D2FE37537617E334DB429BE4345DEDA61F0F8FD85D067AB4D7DDD10C43E99666446C891FA34797CA
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\winsct, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\winsct, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\winsct, Author: ditekSHen
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 84%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................6... ...@....@.. ....................................@..................................6..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H........a..........&.....................................................(....*.r...p*. *p{.*..(....*.rm..p*. S...*.s.........s.........s.........s.........*.r...p*. ..e.*.r...p*. dXI.*.r ..p*.r...p*. A...*.r...p*. .-..*..((...*.r...p*. .x!.*.r...p*. .L.*.(*...-.(+...,.+.(,...,.+.()...,.+.((...,..(N...*"(....+.*&(....&+.*.+5s`... .... .'..oa...(,...~....-.(\...(N...~....ob...&.-.*.r!..p*. .P..*.r=..p*. ....*.rY..p*. ~.H.*.ru..p*. .T..*.r...p*. !o..*.r...p*. ...*.r...p*. ..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.9759105816886064
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:xt.exe
                            File size:74'240 bytes
                            MD5:009e2424044cdb99eb7437eba6be15ed
                            SHA1:109e876c4e86721af7299ec34806f4b3189f084d
                            SHA256:035b9f3f186f7cd0d168f846726ea3668be8cbefe947edbf1a4e385cd9d86760
                            SHA512:ca0122ed5954ffb8c3a2f7bfa925771deabfc3861a522567d2fe37537617e334db429be4345deda61f0f8fd85d067ab4d7ddd10c43e99666446c891fa34797ca
                            SSDEEP:1536:9UvrIIoWxYYbC3spbmjnR9taoIXWGJ2aOmaeX7vT1:ibJrCcpbyR/zGJ2aOuXf1
                            TLSH:C3738D6C7BF54528E0FFABB619F63653C634F6235902D60F28C6024B1727A88CE512F6
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................6... ...@....@.. ....................................@................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x4136ee
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66EB158A [Wed Sep 18 18:01:46 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x136980x53.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x116f40x11800791dea75f0b3f81c3baeed2b17925eddFalse0.6004603794642858data6.048781634837785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x140000x4ce0x600f9052177c59fad11b6e11866b69a673fFalse0.375data3.726864092899557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x160000xc0x200e72e32b0b7dd2d6945e9085a2e0386e7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x140a00x244data0.4724137931034483
                            RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-12-18T15:22:28.523990+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.104972645.66.231.2317000TCP
                            2024-12-18T15:23:33.993151+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.104990045.66.231.2317000TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 18, 2024 15:22:05.123332977 CET4971780192.168.2.10208.95.112.1
                            Dec 18, 2024 15:22:05.243072987 CET8049717208.95.112.1192.168.2.10
                            Dec 18, 2024 15:22:05.243160009 CET4971780192.168.2.10208.95.112.1
                            Dec 18, 2024 15:22:05.244215965 CET4971780192.168.2.10208.95.112.1
                            Dec 18, 2024 15:22:05.363879919 CET8049717208.95.112.1192.168.2.10
                            Dec 18, 2024 15:22:06.362021923 CET8049717208.95.112.1192.168.2.10
                            Dec 18, 2024 15:22:06.413760900 CET4971780192.168.2.10208.95.112.1
                            Dec 18, 2024 15:22:08.231530905 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:08.351058960 CET70004972645.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:08.351190090 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:08.428524017 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:08.547992945 CET70004972645.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:18.497524977 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:18.617172003 CET70004972645.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:28.523989916 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:28.643553019 CET70004972645.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:30.245116949 CET70004972645.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:30.245995045 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:31.570303917 CET497267000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:31.571070910 CET497877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:31.689908028 CET70004972645.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:31.690635920 CET70004978745.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:31.690953970 CET497877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:31.725023031 CET497877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:31.844809055 CET70004978745.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:46.023819923 CET497877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:46.143518925 CET70004978745.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:52.130167007 CET8049717208.95.112.1192.168.2.10
                            Dec 18, 2024 15:22:52.133457899 CET4971780192.168.2.10208.95.112.1
                            Dec 18, 2024 15:22:53.603993893 CET70004978745.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:53.604084015 CET497877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:55.054763079 CET497877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:55.055552959 CET498417000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:55.174489975 CET70004978745.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:55.175420046 CET70004984145.66.231.231192.168.2.10
                            Dec 18, 2024 15:22:55.175497055 CET498417000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:55.202255011 CET498417000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:22:55.322403908 CET70004984145.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:09.054918051 CET498417000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:09.174515963 CET70004984145.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:17.057358980 CET70004984145.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:17.057471991 CET498417000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.088267088 CET498417000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.088267088 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.207938910 CET70004984145.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:21.207957983 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:21.208117962 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.280550957 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.400531054 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:21.445585012 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.565247059 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:21.565368891 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.684989929 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:21.685458899 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:21.805129051 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:22.055052042 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:22.174721956 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:26.836405993 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:26.956274033 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:26.956348896 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:27.076212883 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:27.076351881 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:27.196090937 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:27.196316957 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:27.316534042 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:27.316639900 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:27.436290026 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:29.961493015 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:30.081269979 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:32.836406946 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:32.956466913 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:32.956517935 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:33.076075077 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:33.079066038 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:33.198648930 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:33.198868036 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:33.318484068 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:33.336442947 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:33.456646919 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:33.456710100 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:33.576905012 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:33.789705038 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:33.915335894 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:33.993150949 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:34.117614031 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:34.117680073 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:34.238130093 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:39.105552912 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:39.225367069 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:39.508462906 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:39.628674984 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:43.183760881 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:43.185635090 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:44.171514034 CET499007000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:44.192820072 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:44.291033983 CET70004990045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:44.312402010 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:44.312486887 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:44.728497982 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:44.847985983 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:46.368855000 CET4971780192.168.2.10208.95.112.1
                            Dec 18, 2024 15:23:46.488488913 CET8049717208.95.112.1192.168.2.10
                            Dec 18, 2024 15:23:49.153502941 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:49.273202896 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:50.758250952 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:50.877906084 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:53.867944002 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:53.988416910 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:23:56.648685932 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:23:56.768225908 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:03.398924112 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:03.518574953 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:03.518624067 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:03.638231993 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:05.899552107 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:06.019174099 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:06.214761972 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:06.214914083 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:08.584702015 CET499507000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:08.598494053 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:08.704814911 CET70004995045.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:08.718322992 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:08.718943119 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:08.815768003 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:08.936942101 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:08.937028885 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:09.056643009 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:13.258115053 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:13.377928019 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:14.102029085 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:14.223047972 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:19.211515903 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:19.331111908 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:19.331177950 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:19.450917006 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:19.451021910 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:19.571374893 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:20.445872068 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:20.565783978 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:29.523972988 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:29.643646955 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:30.652911901 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:30.656900883 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:34.523705959 CET499847000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:34.526449919 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:34.643471003 CET70004998445.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:34.646119118 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:34.646199942 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:34.688385963 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:34.809041023 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:39.992855072 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:40.112797022 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:41.914904118 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:42.035651922 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:43.586472988 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:43.706257105 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:50.166544914 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:50.286443949 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:55.508536100 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:55.628204107 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:55.664953947 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:55.785125971 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:55.785191059 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:55.905306101 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:55.905361891 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:56.025021076 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:56.025135040 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:56.144779921 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:56.144830942 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:24:56.266701937 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:56.575057983 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:24:56.575151920 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:01.102013111 CET499857000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:01.109771013 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:01.222260952 CET70004998545.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:01.229382992 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:01.229464054 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:01.267781973 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:01.387449980 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:04.383461952 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:04.503108978 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:04.508255959 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:04.627804041 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:11.430247068 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:11.551140070 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:11.551189899 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:11.670695066 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:11.670753956 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:11.790303946 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:13.025819063 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:13.146519899 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:16.587202072 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:16.706862926 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:16.706931114 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:16.826539993 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:17.492754936 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:17.612376928 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:22.274225950 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:22.394294024 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:22.394371986 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:22.514329910 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:23.122366905 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:23.122431993 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:27.416986942 CET499867000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:27.416989088 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:27.536629915 CET70004998645.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:27.536644936 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:27.536791086 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:27.758666992 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:27.879302979 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:32.712493896 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:32.836236954 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:36.743160963 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:36.862751007 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:38.290082932 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:38.411335945 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:43.367885113 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:43.487426996 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:49.416085005 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:49.451028109 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:49.451153040 CET499877000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:49.535604000 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:49.570704937 CET70004998745.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:53.416078091 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:53.535610914 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:53.536007881 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:53.832273006 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:53.951847076 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.258625031 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:54.378302097 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.378355980 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:54.498040915 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.498110056 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:54.617784977 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.617872953 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:54.737751007 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.737807989 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:54.857387066 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.857429981 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:54.976906061 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:54.976973057 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:55.096739054 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:25:55.096788883 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:25:55.216236115 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:00.477494001 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:00.597033024 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:04.746077061 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:04.865716934 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:05.602330923 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:05.721896887 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:05.721956968 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:05.841505051 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:06.352227926 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:06.471848011 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:15.436007023 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:15.436137915 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:18.758574009 CET499887000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:18.759582043 CET499897000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:18.878227949 CET70004998845.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:18.879271030 CET70004998945.66.231.231192.168.2.10
                            Dec 18, 2024 15:26:18.879492044 CET499897000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:18.971920013 CET499897000192.168.2.1045.66.231.231
                            Dec 18, 2024 15:26:19.091572046 CET70004998945.66.231.231192.168.2.10

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 18, 2024 15:22:04.912940025 CET5955153192.168.2.101.1.1.1
                            Dec 18, 2024 15:22:05.051453114 CET53595511.1.1.1192.168.2.10

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Dec 18, 2024 15:22:04.912940025 CET192.168.2.101.1.1.10xcb06Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 18, 2024 15:21:55.673908949 CET1.1.1.1192.168.2.100x61ebNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Dec 18, 2024 15:21:55.673908949 CET1.1.1.1192.168.2.100x61ebNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                            Dec 18, 2024 15:22:05.051453114 CET1.1.1.1192.168.2.100xcb06No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.1049717208.95.112.1808020C:\Users\user\Desktop\xt.exe
                            TimestampBytes transferredDirectionData
                            Dec 18, 2024 15:22:05.244215965 CET80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Dec 18, 2024 15:22:06.362021923 CET175INHTTP/1.1 200 OK
                            Date: Wed, 18 Dec 2024 14:22:05 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 6
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 66 61 6c 73 65 0a
                            Data Ascii: false


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:21:57
                            Start date:18/12/2024
                            Path:C:\Users\user\Desktop\xt.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\xt.exe"
                            Imagebase:0x600000
                            File size:74'240 bytes
                            MD5 hash:009E2424044CDB99EB7437EBA6BE15ED
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1331020077.0000000000602000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3803021622.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:3
                            Start time:09:22:15
                            Start date:18/12/2024
                            Path:C:\Windows\System32\OpenWith.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                            Imagebase:0x7ff7e9f00000
                            File size:123'984 bytes
                            MD5 hash:E4A834784FA08C17D47A1E72429C5109
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:09:22:23
                            Start date:18/12/2024
                            Path:C:\Windows\System32\OpenWith.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                            Imagebase:0x7ff7e9f00000
                            File size:123'984 bytes
                            MD5 hash:E4A834784FA08C17D47A1E72429C5109
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:22.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:33.3%
                              Total number of Nodes:9
                              Total number of Limit Nodes:0

                              Executed Functions

                              Function 00007FF7C0E816E9 Relevance: 1.9, Strings: 1, Instructions: 673COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID:
                              • String ID: CAO_^
                              • API String ID: 0-3111533842
                              • Opcode ID: caeb8af21491299c1cdee9059a0c8cd703c874ee42876467dad56b0c7379bc5c
                              • Instruction ID: 1806354354b821052793e36191d230e2fbf1e2cb24c03104d4efeff0f4a8544c
                              • Opcode Fuzzy Hash: caeb8af21491299c1cdee9059a0c8cd703c874ee42876467dad56b0c7379bc5c
                              • Instruction Fuzzy Hash: 1D22A730B68A494FE798FB3C94996B9B7D1FF98754F8406B9D00DC3396DE28B8418781
                              Function 00007FF7C0E87871 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 171 7ff7c0e87871-7ff7c0e8792d CheckRemoteDebuggerPresent 175 7ff7c0e87935-7ff7c0e87978 171->175 176 7ff7c0e8792f 171->176 176->175
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 0dce38fa2ad9918099eb527f3f93478913fb388d65494062339d7329af107de3
                              • Instruction ID: 18c92ee884138fb4cd19e3fc9a6b9704cb56a38f16cd25a9c13cd94b7f74ba1f
                              • Opcode Fuzzy Hash: 0dce38fa2ad9918099eb527f3f93478913fb388d65494062339d7329af107de3
                              • Instruction Fuzzy Hash: 6531C03190C75C8FCB58DF58C88A7E97BE0EFA5321F05426AD489D7292DB34A846CB91
                              Function 00007FF7C0E85EB6 Relevance: .5, Instructions: 473COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 288 7ff7c0e85eb6-7ff7c0e85ec3 289 7ff7c0e85ece-7ff7c0e85f97 288->289 290 7ff7c0e85ec5-7ff7c0e85ecd 288->290 294 7ff7c0e85f99-7ff7c0e85fa2 289->294 295 7ff7c0e86003 289->295 290->289 294->295 297 7ff7c0e85fa4-7ff7c0e85fb0 294->297 296 7ff7c0e86005-7ff7c0e8602a 295->296 304 7ff7c0e8602c-7ff7c0e86035 296->304 305 7ff7c0e86096 296->305 298 7ff7c0e85fe9-7ff7c0e86001 297->298 299 7ff7c0e85fb2-7ff7c0e85fc4 297->299 298->296 300 7ff7c0e85fc8-7ff7c0e85fdb 299->300 301 7ff7c0e85fc6 299->301 300->300 303 7ff7c0e85fdd-7ff7c0e85fe5 300->303 301->300 303->298 304->305 307 7ff7c0e86037-7ff7c0e86043 304->307 306 7ff7c0e86098-7ff7c0e86140 305->306 318 7ff7c0e861ae 306->318 319 7ff7c0e86142-7ff7c0e8614c 306->319 308 7ff7c0e8607c-7ff7c0e86094 307->308 309 7ff7c0e86045-7ff7c0e86057 307->309 308->306 311 7ff7c0e8605b-7ff7c0e8606e 309->311 312 7ff7c0e86059 309->312 311->311 314 7ff7c0e86070-7ff7c0e86078 311->314 312->311 314->308 320 7ff7c0e861b0-7ff7c0e861d9 318->320 319->318 321 7ff7c0e8614e-7ff7c0e8615b 319->321 327 7ff7c0e861db-7ff7c0e861e6 320->327 328 7ff7c0e86243 320->328 322 7ff7c0e8615d-7ff7c0e8616f 321->322 323 7ff7c0e86194-7ff7c0e861ac 321->323 325 7ff7c0e86173-7ff7c0e86186 322->325 326 7ff7c0e86171 322->326 323->320 325->325 329 7ff7c0e86188-7ff7c0e86190 325->329 326->325 327->328 330 7ff7c0e861e8-7ff7c0e861f6 327->330 331 7ff7c0e86245-7ff7c0e862eb 328->331 329->323 332 7ff7c0e861f8-7ff7c0e8620a 330->332 333 7ff7c0e8622f-7ff7c0e86241 330->333 340 7ff7c0e862ed 331->340 341 7ff7c0e862f3-7ff7c0e8632d call 7ff7c0e86374 331->341 334 7ff7c0e8620e-7ff7c0e86221 332->334 335 7ff7c0e8620c 332->335 333->331 334->334 337 7ff7c0e86223-7ff7c0e8622b 334->337 335->334 337->333 340->341 347 7ff7c0e86332-7ff7c0e86358 341->347 349 7ff7c0e8635a 347->349 350 7ff7c0e8635f-7ff7c0e86373 347->350 349->350
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f990759b787e62d14d229d3e32d86fd0b10d4857f801f44dc032b19ddb06638
                              • Instruction ID: 67ba761fe34bf032d4a0db684bd2d08c10dc155329baaec12a222d87d60fb3d7
                              • Opcode Fuzzy Hash: 0f990759b787e62d14d229d3e32d86fd0b10d4857f801f44dc032b19ddb06638
                              • Instruction Fuzzy Hash: 10F19230908A8E8FEBA8EF28D8557F977D1FF54310F44426AE84DC7395DB34A9458B82
                              Function 00007FF7C0E86C62 Relevance: .5, Instructions: 457COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 351 7ff7c0e86c62-7ff7c0e86c6f 352 7ff7c0e86c7a-7ff7c0e86d47 351->352 353 7ff7c0e86c71-7ff7c0e86c79 351->353 357 7ff7c0e86d49-7ff7c0e86d52 352->357 358 7ff7c0e86db3 352->358 353->352 357->358 359 7ff7c0e86d54-7ff7c0e86d60 357->359 360 7ff7c0e86db5-7ff7c0e86dda 358->360 361 7ff7c0e86d99-7ff7c0e86db1 359->361 362 7ff7c0e86d62-7ff7c0e86d74 359->362 367 7ff7c0e86ddc-7ff7c0e86de5 360->367 368 7ff7c0e86e46 360->368 361->360 363 7ff7c0e86d78-7ff7c0e86d8b 362->363 364 7ff7c0e86d76 362->364 363->363 366 7ff7c0e86d8d-7ff7c0e86d95 363->366 364->363 366->361 367->368 370 7ff7c0e86de7-7ff7c0e86df3 367->370 369 7ff7c0e86e48-7ff7c0e86e6d 368->369 376 7ff7c0e86edb 369->376 377 7ff7c0e86e6f-7ff7c0e86e79 369->377 371 7ff7c0e86e2c-7ff7c0e86e44 370->371 372 7ff7c0e86df5-7ff7c0e86e07 370->372 371->369 374 7ff7c0e86e0b-7ff7c0e86e1e 372->374 375 7ff7c0e86e09 372->375 374->374 378 7ff7c0e86e20-7ff7c0e86e28 374->378 375->374 380 7ff7c0e86edd-7ff7c0e86f0b 376->380 377->376 379 7ff7c0e86e7b-7ff7c0e86e88 377->379 378->371 381 7ff7c0e86e8a-7ff7c0e86e9c 379->381 382 7ff7c0e86ec1-7ff7c0e86ed9 379->382 386 7ff7c0e86f0d-7ff7c0e86f18 380->386 387 7ff7c0e86f7b 380->387 383 7ff7c0e86e9e 381->383 384 7ff7c0e86ea0-7ff7c0e86eb3 381->384 382->380 383->384 384->384 388 7ff7c0e86eb5-7ff7c0e86ebd 384->388 386->387 389 7ff7c0e86f1a-7ff7c0e86f28 386->389 390 7ff7c0e86f7d-7ff7c0e87055 387->390 388->382 391 7ff7c0e86f2a-7ff7c0e86f3c 389->391 392 7ff7c0e86f61-7ff7c0e86f79 389->392 400 7ff7c0e8705b-7ff7c0e8706a 390->400 393 7ff7c0e86f3e 391->393 394 7ff7c0e86f40-7ff7c0e86f53 391->394 392->390 393->394 394->394 396 7ff7c0e86f55-7ff7c0e86f5d 394->396 396->392 401 7ff7c0e8706c 400->401 402 7ff7c0e87072-7ff7c0e870d4 call 7ff7c0e870f0 400->402 401->402 410 7ff7c0e870db-7ff7c0e870ef 402->410 411 7ff7c0e870d6 402->411 411->410
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fe5e7530a0b7deab2924dea65b44a18c3c76fe2e84e940433f156eedfa195f2
                              • Instruction ID: 308683cc1f6c96975cfd35f590f9f490ae1bc28d45ef05f587994c0a67bc5a2b
                              • Opcode Fuzzy Hash: 5fe5e7530a0b7deab2924dea65b44a18c3c76fe2e84e940433f156eedfa195f2
                              • Instruction Fuzzy Hash: 2DE1A130A08A8E8FEBA8EF28D8557E977D1EF54320F54436AD84DC7291DF74A9448BC1
                              Function 00007FF7C0E82181 Relevance: .4, Instructions: 389COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1828297e615039e2fe92a81707c01156ca7091425dca5030e80cfaf89ac84960
                              • Instruction ID: 25cddff03394e17c095442925815ad9a8197a7ce5bf9c58c125b0e9f9507c6d8
                              • Opcode Fuzzy Hash: 1828297e615039e2fe92a81707c01156ca7091425dca5030e80cfaf89ac84960
                              • Instruction Fuzzy Hash: 25C18D20B5C94A4FEB98FB2C84697B9B7D2FF99714F544279D10EC3392DE28B8018791
                              Function 00007FF7C0E81EF5 Relevance: .2, Instructions: 197COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 328016888acecf9b1913d0496ba2861c28814c26abb9523d088882112b937a96
                              • Instruction ID: a3d1fc20cf4ef3cee5db891816c7809b312f50a6e0cfdc7c53762331fe1a3481
                              • Opcode Fuzzy Hash: 328016888acecf9b1913d0496ba2861c28814c26abb9523d088882112b937a96
                              • Instruction Fuzzy Hash: 3F510520B5D6C54FD786AB3C58642B5BFD5EF47265B0802FAE08DC7293DE186806C382
                              Function 00007FF7C0E8902D Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 150 7ff7c0e8902d-7ff7c0e89110 RtlSetProcessIsCritical 154 7ff7c0e89112 150->154 155 7ff7c0e89118-7ff7c0e8914d 150->155 154->155
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: 330104823acb1acddca348aed0d1eab89eca66ceb0941ff1f3a525343cee3034
                              • Instruction ID: 62231050c16623591529825f6b5f41250282ada9a688c535829f9dae6249d17a
                              • Opcode Fuzzy Hash: 330104823acb1acddca348aed0d1eab89eca66ceb0941ff1f3a525343cee3034
                              • Instruction Fuzzy Hash: 0C41D63180C6498FD719DF98D845BE9BBF0FF56311F04416ED08AD3692CB786846CB91
                              Function 00007FF7C0E89578 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 157 7ff7c0e89578-7ff7c0e8957f 158 7ff7c0e89581-7ff7c0e89589 157->158 159 7ff7c0e8958a-7ff7c0e895fd 157->159 158->159 163 7ff7c0e89603-7ff7c0e89610 159->163 164 7ff7c0e89689-7ff7c0e8968d 159->164 165 7ff7c0e89612-7ff7c0e8964f SetWindowsHookExW 163->165 164->165 167 7ff7c0e89651 165->167 168 7ff7c0e89657-7ff7c0e89688 165->168 167->168
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3807418159.00007FF7C0E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c0e80000_xt.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 29a6e490d6fe218f7edc5a647c9dbe133e6d9baece17f34b8937a0c585af837e
                              • Instruction ID: 9748d568b33d2a8a26e04b900fb44ba34a5e77a03883d1a63f675d583ed20c38
                              • Opcode Fuzzy Hash: 29a6e490d6fe218f7edc5a647c9dbe133e6d9baece17f34b8937a0c585af837e
                              • Instruction Fuzzy Hash: C741C531D1CA4D8FDB58EF6C98466F9BBE1EB59321F14023ED049D3292DA64B81287D1