Edit tour

Windows Analysis Report
XClient.exe

Overview

General Information

Sample name:XClient.exe
Analysis ID:1645986
MD5:a6cc70ece3acb1443a203972dc007a6c
SHA1:c2bfd3e0a43bffcb7dbba118e507c423c5ed8869
SHA256:abe47f0361c9878b2f4475dc8989e9055012a0c4ce1cc18f913bc9b89d618b45
Tags:exeuser-BastianHein
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • XClient.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\XClient.exe" MD5: A6CC70ECE3ACB1443A203972DC007A6C)
  • cleanup
{
  "C2 url": [
    "such-captain.gl.at.ply.gg"
  ],
  "Port": 7723,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe",
  "Version": "XWorm V5.6"
}
SourceRuleDescriptionAuthorStrings
XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    XClient.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0xa38f:$str01: $VB$Local_Port
    • 0xa3b3:$str02: $VB$Local_Host
    • 0x8b8e:$str03: get_Jpeg
    • 0x9162:$str04: get_ServicePack
    • 0xb5c6:$str05: Select * from AntivirusProduct
    • 0xbe3c:$str06: PCRestart
    • 0xbe50:$str07: shutdown.exe /f /r /t 0
    • 0xbf02:$str08: StopReport
    • 0xbed8:$str09: StopDDos
    • 0xbfce:$str10: sendPlugin
    • 0xc04e:$str11: OfflineKeylogger Not Enabled
    • 0xc1a6:$str12: -ExecutionPolicy Bypass -File "
    • 0xc617:$str13: Content-length: 5235
    XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xc7a0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xc83d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xc952:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xc532:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xc5a0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xc63d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xc752:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc332:$cnc4: POST / HTTP/1.1
      Process Memory Space: XClient.exe PID: 7600JoeSecurity_XWormYara detected XWormJoe Security
        SourceRuleDescriptionAuthorStrings
        0.0.XClient.exe.440000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.0.XClient.exe.440000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xa38f:$str01: $VB$Local_Port
          • 0xa3b3:$str02: $VB$Local_Host
          • 0x8b8e:$str03: get_Jpeg
          • 0x9162:$str04: get_ServicePack
          • 0xb5c6:$str05: Select * from AntivirusProduct
          • 0xbe3c:$str06: PCRestart
          • 0xbe50:$str07: shutdown.exe /f /r /t 0
          • 0xbf02:$str08: StopReport
          • 0xbed8:$str09: StopDDos
          • 0xbfce:$str10: sendPlugin
          • 0xc04e:$str11: OfflineKeylogger Not Enabled
          • 0xc1a6:$str12: -ExecutionPolicy Bypass -File "
          • 0xc617:$str13: Content-length: 5235
          0.0.XClient.exe.440000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xc7a0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xc83d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xc952:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xc532:$cnc4: POST / HTTP/1.1
          No Sigma rule has matched
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: such-captain.gl.at.ply.ggAvira URL Cloud: Label: malware
          Source: XClient.exeMalware Configuration Extractor: Xworm {"C2 url": ["such-captain.gl.at.ply.gg"], "Port": 7723, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
          Source: XClient.exeVirustotal: Detection: 71%Perma Link
          Source: XClient.exeReversingLabs: Detection: 81%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: XClient.exeString decryptor: such-captain.gl.at.ply.gg
          Source: XClient.exeString decryptor: 7723
          Source: XClient.exeString decryptor: <123456789>
          Source: XClient.exeString decryptor: <Xwormmm>
          Source: XClient.exeString decryptor: XWorm V5.6
          Source: XClient.exeString decryptor: USB.exe
          Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Source: Malware configuration extractorURLs: such-captain.gl.at.ply.gg
          Source: global trafficTCP traffic: 192.168.2.4:49719 -> 147.185.221.27:7723
          Source: Joe Sandbox ViewIP Address: 147.185.221.27 147.185.221.27
          Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: such-captain.gl.at.ply.gg

          System Summary

          barindex
          Source: XClient.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: XClient.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.0.XClient.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 0.0.XClient.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFC3DA511000_2_00007FFC3DA51100
          Source: XClient.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: XClient.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: XClient.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.0.XClient.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 0.0.XClient.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: XClient.exe, Jtl0JIBUwph91VaZwmPjN3tCzz9HwP6zuQfr05kfzwooTF49mTGi29FRtVXWKgA5.csCryptographic APIs: 'TransformFinalBlock'
          Source: XClient.exe, r0hVFMn9UZ54FRtfbkfg6dhmsbdT3KPAaZb5zCBlqFZDVY8ZxkIASiSVc9NHPVwV.csCryptographic APIs: 'TransformFinalBlock'
          Source: XClient.exe, r0hVFMn9UZ54FRtfbkfg6dhmsbdT3KPAaZb5zCBlqFZDVY8ZxkIASiSVc9NHPVwV.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
          Source: C:\Users\user\Desktop\XClient.exeMutant created: NULL
          Source: C:\Users\user\Desktop\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\AXddECh7YbS293rR
          Source: XClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: XClient.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\XClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: XClient.exeVirustotal: Detection: 71%
          Source: XClient.exeReversingLabs: Detection: 81%
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: XClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: XClient.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Source: XClient.exe, XGTubdGbtPRtzrBNBtfxEQEAykRRfrZR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{HcAQjkOZnDBeQEDFAbktcSTlq6eO2Mx65XiVMpzdIiR4uxys7UPAoQEWELv0wWCR9ba5InABMfCCG8Pzz12N6xtmhc.knxB5HyKepRxfQkbHW55QIt3zMwhy1jgM0cfhyduFifBfhjC8XwDLhSXCTatmoAhvHSKU2iDbB4p388Jvn0xu7ruyl,HcAQjkOZnDBeQEDFAbktcSTlq6eO2Mx65XiVMpzdIiR4uxys7UPAoQEWELv0wWCR9ba5InABMfCCG8Pzz12N6xtmhc.npB5o5X9zWRWxL6jgoMoPjs8ZOAT6V5pPYsNttyx2TFpLZ1OGeXYQqBH9vc2nmkfyRdaK21WXjBcde26iS8O6Q91AK,HcAQjkOZnDBeQEDFAbktcSTlq6eO2Mx65XiVMpzdIiR4uxys7UPAoQEWELv0wWCR9ba5InABMfCCG8Pzz12N6xtmhc.w97PiOn8K0YnyNqoxFtX6OKma5qn1aX2W92BqhToJZh5BxGpPiTZvGgKBNblQU3Rc4uuuEb7iKQkfHYY21Y63sPHDX,HcAQjkOZnDBeQEDFAbktcSTlq6eO2Mx65XiVMpzdIiR4uxys7UPAoQEWELv0wWCR9ba5InABMfCCG8Pzz12N6xtmhc.rMgJYrQdVDBacYSKGcwS6AFDqWQivpGjpc69tmTBjBwBfDKOBnue7i6YKOdgve2DDfFqIDBLm3NEI4szR7OZuiceDf,r0hVFMn9UZ54FRtfbkfg6dhmsbdT3KPAaZb5zCBlqFZDVY8ZxkIASiSVc9NHPVwV._2RTZYKfIreBIuzcNrsMbtm9KzbHjUsjcRKK1vK2UCDePDqYjhd()}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: XClient.exe, XGTubdGbtPRtzrBNBtfxEQEAykRRfrZR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_4c0YD8kM8c3denyDps5KgyTDMu3npiscX7YCsOEi8sDRrQ8cwtv7j2TSfZCfv4WP[2],r0hVFMn9UZ54FRtfbkfg6dhmsbdT3KPAaZb5zCBlqFZDVY8ZxkIASiSVc9NHPVwV.mVu0J2nVRAx4VUz2vYyUfM8teEUW13z4BwcB3jNAk1A3qin5Za(Convert.FromBase64String(_4c0YD8kM8c3denyDps5KgyTDMu3npiscX7YCsOEi8sDRrQ8cwtv7j2TSfZCfv4WP[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: XClient.exe, XGTubdGbtPRtzrBNBtfxEQEAykRRfrZR.cs.Net Code: r3H5yipTKcPmnQ4HisQ7QgMXyjNhHWJA System.AppDomain.Load(byte[])
          Source: XClient.exe, XGTubdGbtPRtzrBNBtfxEQEAykRRfrZR.cs.Net Code: mDmJbzVTVtUVHC79vUAL1A5eDz5BefGTn8ws0EMB9C17CatSpRX5Y3ZwjrnHXzez System.AppDomain.Load(byte[])
          Source: XClient.exe, XGTubdGbtPRtzrBNBtfxEQEAykRRfrZR.cs.Net Code: mDmJbzVTVtUVHC79vUAL1A5eDz5BefGTn8ws0EMB9C17CatSpRX5Y3ZwjrnHXzez
          Source: C:\Users\user\Desktop\XClient.exeCode function: 0_2_00007FFC3DA500BD pushad ; iretd 0_2_00007FFC3DA500C1
          Source: XClient.exe, HcAQjkOZnDBeQEDFAbktcSTlq6eO2Mx65XiVMpzdIiR4uxys7UPAoQEWELv0wWCR9ba5InABMfCCG8Pzz12N6xtmhc.csHigh entropy of concatenated method names: 'rRQytmD8rh8DEzLmaFKY45258b6jJUXjT32ygEMkMPn19HWJsmWnlx5NsPWAiLvLYMVpgqDd8Isw0FqanzXQWX7v3xirCk7ZknY', 'K5hvP7myFizqP4YJcUupSapv8kYTWx1UmT9hQ9t7gw95QYIXhZxy1mEX4vPq6yOmpQeUxaOmtV2ZJBOMfofzuONQDKX1lcwo3U2', '_9XQYZjN0Ff0yr8osOGcczzhsaG3T2dsFn6Ed5KO1eJ39ZiDm8DGkTdw3jzEmeCbtE1yMTK72K6ukCC8MYz7Hmw1Jnhu4VdbgP9S', 'abBLluzQ1PZD45g1d4VeA3cRpHmSDrVYBQZy3xcJjp5O20fczQlmN7K8NvLu6xIVA16NgtlmhRsUEp3fB5oL7Nj4KF7rmqR89rP'
          Source: XClient.exe, RkuwzMuyiClehTkp3plTGHxLANLe35HdCcRZyHkohOMBuGfTnQ.csHigh entropy of concatenated method names: 'BwvGQI8mMNWEjysZGov1ht0XLvfq3P5HtdQNuRxwkoV43PcWlK', 'fcoO643fwJY4hSb3TiMyJwQDeClnUPcgB2Sa5DkGLtZ9ozQOpx', 'nuqiWdDkj82OT0vEjCUS7SwJTHCjZJRkXGDtudUwh4WpyepCUC', 'BdqXUapufphOGsV1r3FSZNvre3BBYwcyVF3nXIxgFU3VuUWOfMwWKEu8YAj', 'Cb3OwvMuXceVLMynzgoRMgAQ7fiATBrl6kUA2xzBTocNT0Z2FH9GyvXWRxf', 'P278VpvF6rb5OFh3ASEFBzreOiuFQLHLZ1v8KMFMhDjhMoU9SBfJjx5mulb', 'c45hTSSLWtcPcZqZOaXZsfB9XTTO6q1pGhszw7Gx9y7SL02WEKY3nhUnXs7', '_2SnTfQjxFjyfXTUOU7qyRWNPgMgrkOhHQZ3ox1QK8djbcjfWNEwdOFil45u', 'g8IJSTHNpJCF94qv7dM7dmqnVE88uEsXOzhXqARsPoE2M7JkWKVXaXAY6xV', '_3nqyWmkBn28Hg6GLMDWIiqM3lAkDx7V1zWLoMTngtogjtXCzf86WCf2p7oh'
          Source: XClient.exe, IqSlOetrAXAiW7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'g3i2IWjPK4D3LhYt9GesNjKVSntF7mGR9bgjyVqxYTTwPdjZgINfYllvrPHA5C6S2kaOkKxOsw6l89wxyZuYjSyKceybNccDjLC', 'dCNd7SuFDSa9c1daz5mvOvtfVHObk3b1tEXOrUlW0bnZxyuTike666ztQg7KGjP1OxFQMfANo9dT5FKB4sWCPbbP8eYDAw6Uib1', '_0a8wxUN5aq9apPxuKSS28f0Wu48I8lMub0mtnGcvUZ0kWf5PvMPDJh8l6qcHIHd0B4TQOI2niFKBIO321K0sZUKikOAn5Cwzx6t', 'LChfdGJj9VTSW0it3OVCz5bzebkcSuHiJKemUwEgskHi9bgfyyWdpknqNnTrEySX5Qx71IE62zQmvDMLdF09QORzi60baMAZs2O'
          Source: XClient.exe, 1nKvNnaOGbDYnghQ9vPA2GjSEtZanc0f0HKiL66shrhXl76pn8iW3Xf6qLKpKanA.csHigh entropy of concatenated method names: 'yVeWCAYcsqfb0npXaSIwxvh1JWxinPE991BE2wnK4xQDXJrAmaVpGp08DAptmYJ7', 'BlhOpWje9WCJKH3rcBiedREXNUO', 'S8hED5LXcpCzgQC02xXIz1IMzuo', 'AxhFHLd3TAD2pJZhGhZFqj0Sl69', 'USmU7PtNgliQVw0j9qQU52XynCd'
          Source: XClient.exe, Jtl0JIBUwph91VaZwmPjN3tCzz9HwP6zuQfr05kfzwooTF49mTGi29FRtVXWKgA5.csHigh entropy of concatenated method names: 'dsqn8QVXB9XGfYC0NZVxBBOHVvc44lIkYQ6y0gkB9R7KISLW6sSzdSEx60OEHFZw', 'MRDSVnHH2caroNBbYjUYNafIgeW', '_13o0sNyeEiUSLrPCxYRVCUAj2yE', 'wKkbu00lesdcnwA2WaZL9WX2r93', 'IXRAP6B7QBT0fQZEc8J6yjoGLch'
          Source: XClient.exe, ygLcpzUQe1kRjKvPlrh0NL6FCcWd39SiDvjy2i6cGeSm5zl5EKFui7BCUwMJAd4SqIQ7w7t0WnkyWT4MRDE6HYyhwS.csHigh entropy of concatenated method names: 'UXzpDzlHYHgoRo8Sn8fiTzmYevpaaiteW35Ys4ob3Sw2oeWyqgfR8yQPolxAqZGGhPsJDEZBw6fKWu6XIXwTCMgbAI', 'Lvto29iZ0AsH2WepVG3Y19hlzDmyKeLylgQx3xe2cRS6EOZf0s7z7Efr6HfutqhoFwMXIcCu81t5sNedzjtdT4UEEm', 'MuRK2OYyNAfEU76os4o0k9KoYLgKYKx1gxmVICr2Qz1fESNpmSTU5KNQtNsdtEwAqfRGDwGOsntSd1pxEuVslGmJ6I', '_9yjxrSXt3yIYbaoW99bAYBs6VjkhrrYnRg2XOQXj7BvXshindMCxXSR4PgItEktM0P8FksybO4OqRIa44tyIUKrMpUct8eXtE50', '_1uAShsin0McW3AmlfgVQzGawh1xxfTReQhoZ7cd6RTpzZqfwK7hHFbpHHb880o1qHSbHRvKk7sEhXo2e62k32zJlMuE7PibGdxO', '_24dKUmVKzTvApMG9YF2EtyJgu7cXiKLggq07DB2NY4jYpeLfuZrq2xy6zVnfbLTHDukOBHO6hdIWKKbmrcfU8m5XWAgb2t2jpxy', 'UMVlWfCLrpqmO9SRCKPJ5yQXq2Nb1qfffqpEmxS84j', 'xDs0ojY6Ok79tTxQ8jQhFO0Y3X5s5qsBrddAmvLWI3', 'X7lpVwfN6J10jX2iQ3OjaAaRDYZKHJkAckG5cDir4v', 'NVsLd2p3aGZHuUAds1U5WOZ0y6tQnRNLMymFf8vTAH'
          Source: XClient.exe, XGTubdGbtPRtzrBNBtfxEQEAykRRfrZR.csHigh entropy of concatenated method names: 'DFnQZKeZVeOJt8i96PRL9C7ExORMWByi', 'r3H5yipTKcPmnQ4HisQ7QgMXyjNhHWJA', 'xxM6x1f3OWJS9M9fIwxEZRon8Jz6MqEF', 'XQ7eN8Vky2vMtGbm6Edr75Sg9xuupNw3', '_9Ey4HLG1V7pbiXOIhU3mG39ZYnY0JTSQ', 'Xc5CrcJnphU2qJHOuHsMp9tqtYeUL2a1', 'KsmInXIIsJytRCJAMgQg1gTJSECX0FzH', 'SrXE5EGMjkHbxFN36gkr7xK3NauiFXit', 'kJ2V76nh8Q170f2BFsma47qPZ5N6r9x1vJ2Ce2ABdpt2zEE5hiNhZptSC8j6T7Ro', 'wuxRjKNJiimXkIei2AdYDeEY5UGjmYYrUNf09xHeuIqW1j3lIudISWa6xhov3DGl'
          Source: XClient.exe, r0hVFMn9UZ54FRtfbkfg6dhmsbdT3KPAaZb5zCBlqFZDVY8ZxkIASiSVc9NHPVwV.csHigh entropy of concatenated method names: 'CWvUBu2xEjZ4JF9tQsY0kEqwUorYVD7b2Rhlfo7HSB4m96gmgWCziFWD7dtxMRSy', 'iwgBYrgJN3FRCeg0Ca1dE774UEu900fhEyscsyWTuuiUgtyFymwklwZQVgDdapqc', 'ORlblP3ocCEyiGAae0EbpfUHuACHz1z1iwSMWneoeQ6MX72kcD4zmQWPxCqYCZGX', '_8ZCZckrT1k05XOjsGqXjWtmleXL3irP51gJUiiVkNz6IjLbRiYYgZmXMPcw9suoB', 'sba3sM0TbF0jgclyHgnA2fELSaTyP2tMCybypISeS95EYTNRBWaFqAbDo59B8KxW', 'JGC1v43bfURJ3GIN1mk0huXULbZRDIF6DTSWbvtglzyx0gWYYR9NFFDHHwOUZqYj', '_7aKtB69CyFSRDt44Dp0AsfFcaeByxqOI9pfymVVsqRuMq3dcvuxaDqlp5ujbu5IH', 'dQYPgmriUJagUkd7Ue4r5nqRuVhB7Q1uQtDjVpmX9yNLPgOQtjDvr1mESUp5eSo7', 'ehfqOXtzmnQx1wUBW1aMkhvwMIcKMfGUkno0LLgxfXcj6jgs8C', 'a24DILzpRSu3KErxv1sTh4zsjkxamkOdt7SCbXeB5Z13YVRrZi'
          Source: XClient.exe, nlOj5Zs8cBKNH3qeyJeLwzErQ6H0iGTpYxVCT1tpIubd1J98MIq9OlHg8svmnO4AhboIEmsG1p05KpbLGAz1JXo7e6.csHigh entropy of concatenated method names: 'hv6prxQw6V3zzlVtDc7kXUy7aNbxjvs0R2v1QNnvJyXq7yFQw9dOPCoUO2YEtUAVifgpsFBNr2U3CzZ8Ua75gkgvtd', '_0yL7c54WvY2HXd7Ahg5coQ6ALSxj5ogmu6vxSGfD3w4qEExeeXl8aCLOyml0DnboVAnzbGIjHN9ipRRJHt93nzI30s', 'QLr9uku5EGUiNkl3v5OZoyY0wd95C8nY', 'sddeCo6vvoWIdY4mjxDbtHeww9oNc2gA', 'RJ0nFo2cFrXtJOuTSXGCdtM1cw9ehzjs', 'GyIUVwN9xTyuSdQruxzUMb53PGA39QUw', 'iZsaleDWMuOQVjlw7wjKCTiINGHCieK5', 'chhvGGH3IDVEp54uIVS6LfTtRSComTb1', 'P1kn9t6VGfS1S76zmSGehqrSSyZa5FPk', 'Cu75os9sYKOkokAuGUtyY0IRqmhP9sBq'
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeMemory allocated: 1A750000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeWindow / User API: threadDelayed 9685Jump to behavior
          Source: C:\Users\user\Desktop\XClient.exe TID: 7660Thread sleep count: 302 > 30Jump to behavior
          Source: C:\Users\user\Desktop\XClient.exe TID: 7660Thread sleep time: -302000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\XClient.exe TID: 7660Thread sleep count: 9685 > 30Jump to behavior
          Source: C:\Users\user\Desktop\XClient.exe TID: 7660Thread sleep time: -9685000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: XClient.exe, 00000000.00000002.3596530376.0000000000907000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
          Source: C:\Users\user\Desktop\XClient.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeQueries volume information: C:\Users\user\Desktop\XClient.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: XClient.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.XClient.exe.440000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7600, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: XClient.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.XClient.exe.440000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7600, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading
          1
          DLL Side-Loading
          2
          Virtualization/Sandbox Evasion
          OS Credential Dumping1
          Security Software Discovery
          Remote Services11
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools
          LSASS Memory2
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information
          Security Account Manager1
          Application Window Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information
          NTDS13
          System Information Discovery
          Distributed Component Object ModelInput Capture11
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Software Packing
          LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645986 Sample: XClient.exe Startdate: 23/03/2025 Architecture: WINDOWS Score: 100 9 such-captain.gl.at.ply.gg 2->9 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus detection for URL or domain 2->17 19 7 other signatures 2->19 6 XClient.exe 2 2->6         started        signatures3 process4 dnsIp5 11 such-captain.gl.at.ply.gg 147.185.221.27, 7723 SALSGIVERUS United States 6->11

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          XClient.exe71%VirustotalBrowse
          XClient.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          such-captain.gl.at.ply.gg100%Avira URL Cloudmalware

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          such-captain.gl.at.ply.gg
          147.185.221.27
          truetrue
            unknown
            NameMaliciousAntivirus DetectionReputation
            such-captain.gl.at.ply.ggtrue
            • Avira URL Cloud: malware
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            147.185.221.27
            such-captain.gl.at.ply.ggUnited States
            12087SALSGIVERUStrue
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1645986
            Start date and time:2025-03-23 03:35:15 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 30s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:11
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:XClient.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/0@1/1
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 19
            • Number of non-executed functions: 1
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 23.204.23.20, 20.12.23.50
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target XClient.exe, PID 7600 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            TimeTypeDescription
            22:36:13API Interceptor16412491x Sleep call for process: XClient.exe modified
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            147.185.221.27Server.exe.bin.exeGet hashmaliciousNjratBrowse
              RobloxInstaller.exeGet hashmaliciousUnknownBrowse
                tsetup-x64.5.9.0.exeGet hashmaliciousRDPWrap ToolBrowse
                  123123.exe.bin.exeGet hashmaliciousNjratBrowse
                    Payload.exe.bin.exeGet hashmaliciousNjratBrowse
                      Payload1234.exe.bin.exeGet hashmaliciousNjratBrowse
                        remover.exeGet hashmaliciousUnknownBrowse
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SALSGIVERUSwinupdate.scr.exeGet hashmaliciousUnknownBrowse
                          • 147.185.221.26
                          Bootstrapper.exeGet hashmaliciousXWormBrowse
                          • 147.185.221.26
                          Microsoft Word Host.exeGet hashmaliciousSheetRatBrowse
                          • 147.185.221.26
                          Client.exe.bin.exeGet hashmaliciousSheetRatBrowse
                          • 147.185.221.26
                          Server.exe.bin.exeGet hashmaliciousNjratBrowse
                          • 147.185.221.27
                          8M42o4UI1xlnUeX.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                          • 147.185.221.26
                          RobloxInstaller.exeGet hashmaliciousUnknownBrowse
                          • 147.185.221.27
                          tsetup-x64.5.9.0.exeGet hashmaliciousRDPWrap ToolBrowse
                          • 147.185.221.27
                          ZGZ3X_nig.exeGet hashmaliciousChaos, StormKitty, TrojanRansomBrowse
                          • 147.185.221.26
                          7a56b9a7be5d627a61b4fcd3716b73aefa76ecbe38c8edc5c11b47dedb3b888b.exeGet hashmaliciousQuasarBrowse
                          • 147.185.221.17
                          No context
                          No context
                          No created / dropped files found
                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.790775591476234
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:XClient.exe
                          File size:178'176 bytes
                          MD5:a6cc70ece3acb1443a203972dc007a6c
                          SHA1:c2bfd3e0a43bffcb7dbba118e507c423c5ed8869
                          SHA256:abe47f0361c9878b2f4475dc8989e9055012a0c4ce1cc18f913bc9b89d618b45
                          SHA512:a1c9aad284b2a14b12f22154d8bc6500d0ff4d330671fc958c0a0fab3a7437bccbaec5e8ca099f399f2ab4499dccea7224f68dedf726ed1818b2fbcd2819fa1f
                          SSDEEP:3072:jNWJcweLkbmlHBOgzca3v7EsUT8rmtIhF:jacAbCT/HUTftO
                          TLSH:5D043147A2380C21DBB4EE3591DCD8BB595F5E3AF1A2464D7CB5FC6824F68F1092AC06
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..g............................>.... ........@.. ....................................@................................
                          Icon Hash:0530697965697336
                          Entrypoint:0x40fc3e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x67DE7F4D [Sat Mar 22 09:13:49 2025 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xfbe40x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x1d50e.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xdc440xde00e66f90510b9dc6074ca520e01473c231False0.619457347972973data6.063240155602244IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x100000x1d50e0x1d6003f7729817ff2e04430f53f95c366ce25False0.26229222074468084data5.046775084158543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x2e0000xc0x20058ee1032f6af482ce652886dbcd7809cFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x102200x4853PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.996219281663516
                          RT_ICON0x14a740x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 196850 x 196850 px/m0.08970188098899799
                          RT_ICON0x2529c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 196850 x 196850 px/m0.14684695323571093
                          RT_ICON0x294c40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 196850 x 196850 px/m0.19605809128630705
                          RT_ICON0x2ba6c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 196850 x 196850 px/m0.2732176360225141
                          RT_ICON0x2cb140x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 196850 x 196850 px/m0.5141843971631206
                          RT_GROUP_ICON0x2cf7c0x5adata0.7333333333333333
                          RT_VERSION0x2cfd80x34cdata0.4277251184834123
                          RT_MANIFEST0x2d3240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                          DLLImport
                          mscoree.dll_CorExeMain
                          DescriptionData
                          Translation0x0000 0x04b0
                          CommentsUpdate
                          CompanyNameDiscord Inc.
                          FileDescriptionUpdate
                          FileVersion1.1.1.0
                          InternalNameXClient.exe
                          LegalCopyrightCopyright (c) 2025 Discord Inc. All rights reserved.
                          OriginalFilenameXClient.exe
                          ProductNameUpdate
                          ProductVersion1.1.1.0
                          Assembly Version1.1.1.0

                          Download Network PCAP: filteredfull

                          • Total Packets: 61
                          • 7723 undefined
                          • 53 (DNS)
                          TimestampSource PortDest PortSource IPDest IP
                          Mar 23, 2025 03:36:14.665555954 CET497197723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:15.680804968 CET497197723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:17.696402073 CET497197723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:21.712004900 CET497197723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:29.727679968 CET497197723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:39.214082956 CET497297723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:40.227730036 CET497297723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:42.227802992 CET497297723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:46.243530989 CET497297723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:36:54.243508101 CET497297723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:00.354450941 CET497317723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:01.368578911 CET497317723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:03.384005070 CET497317723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:07.384049892 CET497317723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:15.384129047 CET497317723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:21.513019085 CET497337723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:22.509097099 CET497337723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:24.509111881 CET497337723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:28.524718046 CET497337723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:36.524791002 CET497337723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:42.635832071 CET497357723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:43.649842024 CET497357723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:45.649741888 CET497357723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:49.649732113 CET497357723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:37:57.649774075 CET497357723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:03.761070967 CET497367723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:04.774790049 CET497367723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:06.791754007 CET497367723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:10.806153059 CET497367723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:18.822834969 CET497367723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:24.950342894 CET497377723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:25.962320089 CET497377723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:27.977953911 CET497377723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:31.977967978 CET497377723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:39.995562077 CET497377723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:49.370181084 CET497387723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:50.387839079 CET497387723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:52.384376049 CET497387723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:38:56.384386063 CET497387723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:04.387965918 CET497387723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:10.515893936 CET497397723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:11.524945974 CET497397723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:13.524952888 CET497397723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:17.540596008 CET497397723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:25.556235075 CET497397723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:36.047029018 CET497407723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:37.056276083 CET497407723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:39.056297064 CET497407723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:43.058218002 CET497407723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:51.072045088 CET497407723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:57.183939934 CET497417723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:39:58.196973085 CET497417723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:00.212563038 CET497417723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:04.228213072 CET497417723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:12.228236914 CET497417723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:23.073733091 CET497427723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:24.087701082 CET497427723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:26.103302956 CET497427723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:30.118957996 CET497427723192.168.2.4147.185.221.27
                          Mar 23, 2025 03:40:38.119000912 CET497427723192.168.2.4147.185.221.27
                          TimestampSource PortDest PortSource IPDest IP
                          Mar 23, 2025 03:36:14.469844103 CET6486853192.168.2.41.1.1.1
                          Mar 23, 2025 03:36:14.650533915 CET53648681.1.1.1192.168.2.4
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Mar 23, 2025 03:36:14.469844103 CET192.168.2.41.1.1.10xcb37Standard query (0)such-captain.gl.at.ply.ggA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Mar 23, 2025 03:36:14.650533915 CET1.1.1.1192.168.2.40xcb37No error (0)such-captain.gl.at.ply.gg147.185.221.27A (IP address)IN (0x0001)false
                          050100150200s020406080100

                          Click to jump to process

                          050100150200s0.001020MB

                          Click to jump to process

                          • File
                          • Registry
                          • Network

                          Click to dive into process behavior distribution

                          Target ID:0
                          Start time:22:36:09
                          Start date:22/03/2025
                          Path:C:\Users\user\Desktop\XClient.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\XClient.exe"
                          Imagebase:0x440000
                          File size:178'176 bytes
                          MD5 hash:A6CC70ECE3ACB1443A203972DC007A6C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1141574002.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:false
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          Executed Functions

                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac489d6397c872fc4d890036f31c3149968bfb7e18945bc00c8fc057667e4b28
                          • Instruction ID: 495cd6249ecebb55e6f04782092b589eaf7ec5606dc65986fa8e6623d65d7131
                          • Opcode Fuzzy Hash: ac489d6397c872fc4d890036f31c3149968bfb7e18945bc00c8fc057667e4b28
                          • Instruction Fuzzy Hash: 07A10761B2CA5E4BEB68D72844593B9BBE2EF99390F44017ED08AC32D3ED285D06C351
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de3ffca98669436a0cc550e3ba2b83bf03d88ad5dbdde5df9cc8544b777867b2
                          • Instruction ID: 8835b1544cbad0c67dd2c8a296783d4d5eba21168c50f7d1558d628d4cc22b6c
                          • Opcode Fuzzy Hash: de3ffca98669436a0cc550e3ba2b83bf03d88ad5dbdde5df9cc8544b777867b2
                          • Instruction Fuzzy Hash: 9CA1E761F28D5E4BEBA8D72C44193B9BAE3EF98390F44057DD04ED32D2ED286906C351
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18a7382193290be7f25d2143bfd7dcf0c26707634e15d7f6d565b07c65717fc0
                          • Instruction ID: ace811367ad80742a46eb8584ebb469f62a582493f101bf9798400b68feb4e69
                          • Opcode Fuzzy Hash: 18a7382193290be7f25d2143bfd7dcf0c26707634e15d7f6d565b07c65717fc0
                          • Instruction Fuzzy Hash: 0A61443080C65E9FE718DBA888456B97FF1EF56360F0441BED08DC7193EB28A446CBA1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df4830ad97a13b63ef7d27bee5da4df8c07e03e8aba4d44029ec0edb75ce709b
                          • Instruction ID: faee521245a40ab9103eac304537c778df0f4b9b68baf4112fe04c5017154f07
                          • Opcode Fuzzy Hash: df4830ad97a13b63ef7d27bee5da4df8c07e03e8aba4d44029ec0edb75ce709b
                          • Instruction Fuzzy Hash: 40510761B28A6F1FDB98E77854591BEBBA2FF88250B800479E04EC31D3ED386915D364
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c508e03c52ade489299501ba9f586a7252e6d3b7796dabfe546d70c21721a750
                          • Instruction ID: 1655626bf803bd851adca0adc6c51d74fadb1ffd1a32b4960f43963348e43236
                          • Opcode Fuzzy Hash: c508e03c52ade489299501ba9f586a7252e6d3b7796dabfe546d70c21721a750
                          • Instruction Fuzzy Hash: 1751263090C68E5FEB0AD77848112B5BFA2EF16390F1802B9C099C71E3EE2D6846C361
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b36f396fc6c4fba74b10cb7c8d4503422bc40d35456c662775912da4e7b15a1
                          • Instruction ID: 7fd1cff37fa6cac4aae44186f07b08a9e0dda7db4e5f6e27cd9ca6e3d10c9bd0
                          • Opcode Fuzzy Hash: 3b36f396fc6c4fba74b10cb7c8d4503422bc40d35456c662775912da4e7b15a1
                          • Instruction Fuzzy Hash: 05518B74908A5D8FDB58EF68C459BBABBE1FF59301F00016ED04AC3692DB35E841CB51
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44c51d6a7ca1b51e4584f339bd292c097dcf5a60bc393accee5136d20e6ffa63
                          • Instruction ID: 584a2658b398303cb62850a14ca72f8ef3c0f65153c744352e25c57ac05e739b
                          • Opcode Fuzzy Hash: 44c51d6a7ca1b51e4584f339bd292c097dcf5a60bc393accee5136d20e6ffa63
                          • Instruction Fuzzy Hash: EB41E72071DA9D0FE799E76C88693797FD2DF9A254F0901BAE04DC72A3ED589C02C351
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30d4b7e87e419fe4513908a821175ceea26c56344a2fc5bcb8d554061f77dff3
                          • Instruction ID: 2271df7b1aac8a54530d38abf57cc8a78d4c86bf3bc92f9ed149fdeae4763a56
                          • Opcode Fuzzy Hash: 30d4b7e87e419fe4513908a821175ceea26c56344a2fc5bcb8d554061f77dff3
                          • Instruction Fuzzy Hash: 7E418C74A08A1D8FDB98EF68D459BBAB7E1FB58301F00013ED04AC3692DB35E841CB50
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75ca05092a3fd6963318a939492c65520fb03b72914df44df9698f539d66403d
                          • Instruction ID: 99292bb5a206aa614a197aaa71de9832b5f27b092ad7ae0865f203f2c4842cc8
                          • Opcode Fuzzy Hash: 75ca05092a3fd6963318a939492c65520fb03b72914df44df9698f539d66403d
                          • Instruction Fuzzy Hash: 8531C421B1895D0FEB98E76C945A379BAC2EF9C355F0501BEE04EC32A3ED689C01C355
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35c476c0037cf93515e20241eb73cee30a4a03e8471d70ff1697d01189537aa9
                          • Instruction ID: e1f381f9f04194867423576238488fb1ab2e4bb40bac3a1d6551f6c5f040fab9
                          • Opcode Fuzzy Hash: 35c476c0037cf93515e20241eb73cee30a4a03e8471d70ff1697d01189537aa9
                          • Instruction Fuzzy Hash: D441CF31A1891E8FDB98EBA880546B9B7E2FF58350F24017DD05ED32D2EE29B845C750
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fac7c54b0a633c90563cfffd643e1c1bd6cf52c819e955ae44b6ba551bd396d2
                          • Instruction ID: 6333df8288d594df5baac370b78737e5bf6eb611c4820ccf74d6ce55c0d254a7
                          • Opcode Fuzzy Hash: fac7c54b0a633c90563cfffd643e1c1bd6cf52c819e955ae44b6ba551bd396d2
                          • Instruction Fuzzy Hash: A031A561B18A6E5FEB54F7AC585A3BCBAD2EF98291F140276E40DC3193ED2899018361
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce0427bf5fe74f6b3890c6142f29bacf695a719c8704f649274545dd20f12b3b
                          • Instruction ID: cfb1a2b4cfcf9725c4d18c952b3b06ccac5fc08261d8def16b1db6a8f03b940a
                          • Opcode Fuzzy Hash: ce0427bf5fe74f6b3890c6142f29bacf695a719c8704f649274545dd20f12b3b
                          • Instruction Fuzzy Hash: 2D41E471A18A6F9FDB55EB7888556BABFB2EF88300F900579D049C3297ED386805C760
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 428d3f1b8f354bb25cfcf44a65bd628d24f5c8f423ce656d34d69d843d372198
                          • Instruction ID: ee6f5ed74a5a92c03873142cdcb74ec7567cd543e9a51031250072395f74f79a
                          • Opcode Fuzzy Hash: 428d3f1b8f354bb25cfcf44a65bd628d24f5c8f423ce656d34d69d843d372198
                          • Instruction Fuzzy Hash: 9B21D520E2C12F5BF765A7B945162793A93AF95390F5004B9E08EC61C3FE2CB845E2B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbf0ea4291e13d8b00cfe6d901ff014a63855fafac21441b18cfdfe8fe20c04b
                          • Instruction ID: d310a45bc4183278f20c9200ddb61046e6a2dc3a3f61cfac2ca4dd9698535c74
                          • Opcode Fuzzy Hash: dbf0ea4291e13d8b00cfe6d901ff014a63855fafac21441b18cfdfe8fe20c04b
                          • Instruction Fuzzy Hash: 8F11314180DBEA0FFB06A2685C144B93FF0DF56284B0900B7D488CB0E3EC1C8948C3B6
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bcff379c74ad44f1f8b6d58f8c7a63e834f0cdba2d2042ab5039596faa24fe7
                          • Instruction ID: 397a04697ab4c37293761f7e2e0d14ffcb89c54edc62c5a333ea3ac05372415b
                          • Opcode Fuzzy Hash: 4bcff379c74ad44f1f8b6d58f8c7a63e834f0cdba2d2042ab5039596faa24fe7
                          • Instruction Fuzzy Hash: F901F1B0D08A8E8FD75DDB28885C1BA7FE1EB6D200B4001BFC04AE76A2EE381545C700
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e592d06986cf04844569be17394594bf0c0bd366b6741c970eda96abea07b0f8
                          • Instruction ID: c44020c94f5f23c95322022c58592529fa47a7275e645751cb844dda2e4ed4d5
                          • Opcode Fuzzy Hash: e592d06986cf04844569be17394594bf0c0bd366b6741c970eda96abea07b0f8
                          • Instruction Fuzzy Hash: 1AF0F950E2D56F6BF764627845262787993EF65380F0400FDD049C21D3FE5D6845D331
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2781385daf48e38134d4eaf5965d1a25577cae3f5a3695f5c8aebf658e8d73a9
                          • Instruction ID: cafd0d7b5805c01478de978e8e50899b165a3a389c39ccd62187f7f9d4dbbe23
                          • Opcode Fuzzy Hash: 2781385daf48e38134d4eaf5965d1a25577cae3f5a3695f5c8aebf658e8d73a9
                          • Instruction Fuzzy Hash: 9CF0F431C1C42E4BE270E764C14027473A3AF653A0F5006B5D05DC21C1FF38B855E7A0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c14b5a6be091e446921b5f7b833003f0cea1e4f6793ff3e516343ef991d233ae
                          • Instruction ID: 5e815e0c9ae4b4f6913ab94b53c5cc5b0d55748f1414a10375297e190c4a9a5e
                          • Opcode Fuzzy Hash: c14b5a6be091e446921b5f7b833003f0cea1e4f6793ff3e516343ef991d233ae
                          • Instruction Fuzzy Hash: C3E02B3182C78D4FDB026BA08C121EA7B70FF15200F8206DBF44CCB192EB24A618C793
                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc3ac892567ffbf1cc7d293903fa482101f7e5b3b67e2d5e54c58bf4a06c0b4b
                          • Instruction ID: 79d39831f3b5be0edaea5eaabf85d6d21e844a6fa02c3370fbb7eb138c1a3bdb
                          • Opcode Fuzzy Hash: fc3ac892567ffbf1cc7d293903fa482101f7e5b3b67e2d5e54c58bf4a06c0b4b
                          • Instruction Fuzzy Hash: 99D0C700C2958A0BE60A22B40C829A07B619F032A0F8842B2C085C60C3EC8C20AAA272

                          Non-executed Functions

                          Memory Dump Source
                          • Source File: 00000000.00000002.3599633128.00007FFC3DA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffc3da50000_XClient.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 671844c76b5ffed46a960e758507139390ce7f2d1f8b35f746491799940dd969
                          • Instruction ID: 3dcd834f27883aee3df4fed8f150c4e89e295539e21672a3606056ef9212ec39
                          • Opcode Fuzzy Hash: 671844c76b5ffed46a960e758507139390ce7f2d1f8b35f746491799940dd969
                          • Instruction Fuzzy Hash: 06C13B22D0C67E6AEB54E7BCA8152F97FA1EF413B4B08407BD18CC64D3E9186849C7B5